LokiBot Banking Trojan Attacks Android Devices as Ransomware

Although it seldom looks like it, Android devices are a lot safer than desktop computers, as they are less susceptible to malware infections. However, it does not mean that cyber criminals are overlooking this growing market. With the likes of LokiBot Trojan, even Android users are now left on edge, afraid they might get infected with something very nasty. The good news is that it is possible to remove LokiBot from the affected system, and some of the program’s functions seem to be half-assed. Nevertheless, it may take some help from a professional to get your device back to normal.

What is LokiBot Trojan?

You may find this infection listed under different names. There are news articles that call LokiBot Trojan, Ransomware, and Hybrid Android Malware. If we go back to the beginning and see when this program was first detected, we will see that that LokiBot was first discovered on April 25, 2017. The program was then cataloged as Trojan that affects Windows OS. However, ever since then the Trojan has evolved into a new type of infection that can affect Android devices, too. And one of the worst aspects of its distribution is that almost anyone could make use of this hybrid infection, as long as they know how to.

Albeit it is hard to point out who exactly developed this infection, we know for sure that it is for sale on the Dark Web for about $2,000 in Bitcoin. Dark Web is a part of the Internet that exists on overlay networks and darknets. Users need specific authorization to access that network. It offers anonymity, and so a lot of illegal transactions and operations do take place on Dark Web. Most of the hidden service is related to the drug market, but malware is also often sold and rented on Dark Web, too.

How does LokiBot work?

Android Trojans may spread in several ways. There are at least two major distribution vectors we could mention. First, it could enter the target system via a phishing SMS or MMS. We are talking here about messages that usually require users to click outgoing links, and by clicking them, users get infected with malware. Also, users could be tricked into installing hacked apps that should help them access specific websites, but instead they simply infect the system with malware. Therefore, users have to be well-informed about the ways malware spreads, and they have to be ready to repel these attacks anytime.

As far as LokiBot is concerned, this banking Trojan is called “hybrid malware” because it has ransomware features. The infection turns into ransomware when users try to remove it by taking away the admin privileges. When that happens, the infection locks your device’s screen and displays a message which says that “Your phone is locked for viewing child pornography.” It also requires that you pay from $70 to $100 to unlock your device. According to various news reports, so far this banking Trojan managed to collect more than $1.5m in Bitcoin. However, security experts do not think that this haul consists mostly of ransom payments. It is far more likely that the infection stole money in some other way because it can do a lot more than just lock your screen.

Before we go down to the LokiBot infection’s features, we would like to point out that the program cannot really encrypt your files properly. While the program seems to be using the AES encryption algorithm, reports suggest that during the “encryption” the infection merely renames your files because it encrypts and then decrypts them immediately. So at least that is not the part you have to worry about (too much).

Multi-tasking LokiBot Banking Trojan

When we take a closer look at the extensive list of the things LokiBot can do, it is no surprise that the infection managed to rake so much money so far. The thing that catches one’s attention the most is the fact that this program targets popular Android apps like Skype, WhatsApp, and Outlook. When an app is compromised, the Trojan displays a fake login screen (while the user may not know it is a fake!), and by entering their login credentials, users help this Trojan steal their personal data. As far as we know, the program targets more than 119 banking and other types of Android apps, and it is compatible with Android 4.0 and higher.

Aside from that, LokiBot can also steal your contacts and perform overlay attacks. An overlay attack is a type of malicious action that exploits Android vulnerabilities. This type of attack happens when a fake app or system window is placed over a legitimate window. Basically, users think that they interact with a reliable application, but instead they are tricked into interacting with the fake window, thus giving the criminals what they want. You may end up giving a malicious program important system admin privileges or your personal data.

If that were not enough, this Android Trojan can also read and send SMS, consequently spamming people in your address book with phishing messages and spreading the infection further. It can also steal your browsing history, open your mobile browser without your permission, and even install SOCKS5 proxy to redirect your traffic. In other words, it can take over your device and your network connection. All of this boils down to a few other features that are just as disturbing: For instance, LokiBot can open your banking application and require your login credentials. It can also initiate phishing attacks, all of which is performed for further financial gain.

LokiBot Banking Trojan Removal

Security experts say that it is not hard to remove LokiBot Trojan, as long as you know which app has been compromised. While the program locks your screen, you can still access your system if you boot your device in Safe Mode. After that, you need to remove the admin user permissions this Trojan has, and then delete the app that was infected by malware. This all sounds rather simple, but it could be overwhelming for regular users. Therefore, you can always contact professional technicians to help you with the removal, and you should never hesitate to do just that!


  1. Robert Abel. LokiBot Android Banking Trojan turns into ransomware in last ditch effort. SCMagazine.
  2. Caroline. LokiBot: Hackers made over $1.5m with new Android banking malware that turns into ransomware. DeathRattleSports.
  3. Cercescu Andrei. LokiBot Hybrid Android Malware Is with $2,000 on the Dark Web. eTeknix.
  4. Karan Kumar Sharma. This Android malware named LokiBot turns ransomware whenever you try to remove it. International Business Times.