LokiBot Android Banking Trojan Turns Into Ransomware [source: bleepingcomputer]
by CIRT Team
Security researchers have spotted a new Android banking trojan named LokiBot that turns into ransomware and locks users’ phones when they try to remove its admin privileges.
The malware is more banking trojan than ransomware — according to SfyLabs researchers, the ones who discovered it — and is used for this purpose primarily.
Just like similar Android banking trojans, LokiBot works by showing fake login screens on top of popular apps. LokiBot targets mobile banking apps by design, but also popular non-banking apps such as Skype, Outlook, and WhatsApp.
LokiBot sold online for $2,000
Similar to Svpeng, CryEye, DoubleLocker, ExoBot, and other recent Android malware families, LokiBot is also sold online on hacking forums. The price for a full LokiBot license is $2,000, paid in Bitcoin.
LokiBot has its own unique features compared to other Android banking trojans. For starters, it can open a mobile browser and load an URL and will install a SOCKS5 proxy to redirect outgoing traffic.
It can also automatically reply to SMS messages and send SMS messages to all of the victim’s contacts, a feature most likely used to send SMS spam and infect new users.
Last but not least, LokiBot can also show “fake” notifications disguised as coming from other apps. The malware uses this feature to trick users into thinking they’ve received money in their bank account and open the mobile banking app. When the user taps the notification, Lokibot shows the phishing overlay instead of the real app.
For more, click here.