{"id":9786,"date":"2017-11-02T19:49:30","date_gmt":"2017-11-02T15:49:30","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=9786"},"modified":"2019-11-15T15:23:42","modified_gmt":"2019-11-15T11:23:42","slug":"lokibot-trojan","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/lokibot-trojan\/9786\/","title":{"rendered":"LokiBot: If not stealing, then extorting"},"content":{"rendered":"

Remember the Hydra of ancient mythology? The many-headed serpent that grew two heads when one was chopped off? A similarly dangerous beast has appeared<\/a> in the Android malware zoo.<\/p>\n

<\/strong><\/p>\n

LokiBot as a banking Trojan<\/h2>\n

<\/p>\n

How do ordinary banking Trojans behave? They present the user with a fake screen that simulates the mobile banking interface. Unsuspecting victims enter their login credentials, which the malware redirects to the attackers, giving them access to the accounts.<\/p>\n

How does LokiBot behave? Roughly the same way, but it simulates not only a banking app screen, but also WhatsApp, Skype, and Outlook client interfaces, displaying notifications purporting to come from these applications.<\/p>\n

This means that a person can receive a fake notification, supposedly from their bank, saying that funds have been transferred to their account, and seeing the good news. then log in to the mobile banking client for confirmation. LokiBot even makes the smartphone vibrate when it displays the notification about the alleged transfer, which helps hoodwink even clued-in users.<\/p>\n

But LokiBot has other tricks in store: It can open a browser, navigate to specific pages, and even use an infected device to send spam, which is basically how it distributes itself. Having pinched money from your account, LokiBot keeps going, sending a malicious SMS to all contacts in the phone book to infect as many smartphones and tablets as possible, and even replying to incoming messages if necessary.<\/p>\n

If an attempt is made to remove LokiBot, the malware reveals another facet: To steal funds from a bank account, it needs administrator rights; if you try to deny it permission, it mutates from a banking Trojan into ransomware.<\/p>\n

<\/strong><\/p>\n

LokiBot as ransomware. How to unlock infected smartphone<\/h3>\n

In this case, LokiBot locks the screen and displays a message accusing the victim of viewing child pornography and demanding ransom; it also encrypts data on the device. Examining LokiBot\u2019s code, researchers discovered that it uses weak encryption and doesn\u2019t work properly; the attack leaves unencrypted copies of all files on the device, only under different names, so restoring the files is relatively simple.<\/p>\n

However, the device screen is still locked, and the malware creators ask for about $100 in Bitcoin to unlock it. But you don\u2019t have to oblige: After rebooting the device in safe mode, you can strip<\/a> the malware of administrator rights and delete it. To do so, you first need to determine which version of Android you have:<\/p>\n