Android LokiBot Variant Turns Into Faulty Ransomware

There is a new variant of the LokiBot banking trojan targeting Android devices, which attempts to encrypt files and lock the device when a user attempts to remove it. The main attack vector is an overlay attack, primarily on banking apps but also on a number of other popular apps (Outlook, Skype, WhatsApp, etc). Once installed the malware prompts a user for administrative rights.

Threat ID:: CC-1743
Category:: ransomware
Threat Severity:: Low
Threat Vector:: Download
Published:: 1 November 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Android

Android 4.0 or higher

Threat details

The main attack vector is an overlay attack, primarily on banking apps but also on a number of other popular apps (Outlook, Skype, WhatsApp, etc). Once installed the malware prompts a user for administrative rights. LokiBot is able to steal contact and SMS data alongside banking information. It is also capable of opening internet browsers and loading URLs, redirecting outgoing traffic using a SOCKS5 proxy, sending SMS messages to contacts as a way of infecting new users and presenting fake notifications in order to phish the user further.If a user attempts to delete LokiBot or remove its administrator privileges it will trigger its "Go_Crypt" function, This locks the user's screen, encrypts files with an AES128 algorithm and asks for a ransom between 70-100USD. Fortunately this function is faulty and device files are only renamed, however the lock screen may lead users to believe otherwise.

Remediation steps

Type	Step
	To remove the lock screen and access a device, users must boot into Safe Mode and remove LokiBot's administrator privileges and delete the infected app. To prevent and detect a Trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from infected machines should be reset on a clean computer

Type

Step

To remove the lock screen and access a device, users must boot into Safe Mode and remove LokiBot's administrator privileges and delete the infected app.

To prevent and detect a Trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from infected machines should be reset on a clean computer

Last edited: 14 February 2020 2:56 pm