A new Android banking Trojan named LokiBot has been identified by security researchers from SfyLabs. The malicious software works similar to other Android banking Trojans, turns into ransomware and locks the user’s device as soon as they try to remove its admin privileges.
The malware mainly works on Android version 4.0 and higher versions of the operating system. It targets mobile banking applications as well as non-banking applications like WhatsApp, Skype, Outlook and other social media apps.
LokiBot shows fake login screens on popular apps during installation. Whenever the user tries to stop it or remove the administrator privileges, it instantly triggers its ransomware behaviour
In addition, LokiBot has a unique way of hijacking the mobile’s web browser. It helps the malware to download and install the SOCKS5 proxy, which helps it redirect outgoing traffic as well as taking control over the SMS functionality.
According To Beeping Computer, LokiBot shows fake notifications to users to confuse them and make them think that they have received money in their bank account from some unknown sources. This confusing state is likely to prompt users to open the mobile banking application and login to their accounts. The moment a user taps the notification, the malware shows the phishing overlay, instead of the real application.
Luckily for victims, the ransomware routine is not implemented correctly. The malware also have several loopholes that make it unable to encrypt users’ personal files and data.
However, an affected phone’s screen will still get locked with a message on its screen, asking for a payment of $70 to $100. In such a situation, the way-out for a victim is to boot into Safe Mode and remove LokiBot’s admin user and the infected application.