Criminals Are Selling LokiBot, the First Hybrid Android Malware, for $2,000 on the Dark Web


Another day, another Android trojan... The trend of diabolical malware continues as security researchers have revealed a new Android banking trojan that has the capabilities of transforming into ransomware. Dubbed as LokiBot, the malware works primarily as a banking trojan but can turn into ransomware if users try to remove its admin privileges.

SfyLabs security researchers have published a report revealing that LokiBot is being sold on the dark web for $2,000 worth of bitcoins. The malware works similar to other popular malicious programs using phishing attacks. Showing fake login screens on top of popular, trusted apps like Skype, WhatsApp and banking apps, the banking trojan is activated on the target device after asking for administrator privileges.

Fake COVID-19 Tracking App Found to Infect Android Phones With Ransomware

Affecting Android 4.0 and higher, LokiBot is capable of all the standard capabilities, including:

  • Overlay attacks
  • Steal the victim’s contacts
  • Read and send SMS messages
  • Spam all contacts with SMS messages as a means to spread the infection
  • Browser history is uploaded to criminals' servers
  • And finally, can lock the phone as a last resort of making money if the user tries to remove it.

What sets LokiBot apart, however, is how it transforms into a ransomware and encrypts data when a user tries to stop or remove it.

LokiBot fails at encrypting files, but succeeds at getting ransom from users

The malware makers demand $2,000 in bitcoins for their product, however, the ransomware functionality hasn't been fully implemented yet as it fails to encrypt data correctly. "The encryption function in this ransomware utterly fails, because even though the original files are deleted, the encrypted file is decrypted and written back to itself," SfyLabs wrote.

"Thus, victims won't lose their files, they are only renamed."

While the data may not get encrypted, the user does get locked out of their phone with a ransom note asking between $70 and $100, showing a message: "Your phone is locked for viewing child pornography." Booting into Safe Mode and removing the infected app and privileges can help user get back the access to their devices.

A number of users may have fallen for this banking trojan/ransomware as the group has managed to make over $1.5 million in bitcoins. "Based on the BTC addresses that are used in the source code it seems that the actors behind this new Android malware are successful cybercriminals with over 1.5 million dollars in BTC," SfyLabs said.

Technical details of LokiBot, linked bitcoin wallets and the list of targeted apps is published here.