This malware turns itself into ransomware if you try to remove it

IT security researchers at SfyLabs have discovered an Android banking malware called LokiBot that converts itself into a fully fledged ransomware once the targeted victim tries to remove it from the infected device.

The malware has been in the news since June this year, but since its developers keep coming up with additional features, it has become a quite nasty piece of malware stealing personal and financial information from tons of banking apps and other popular apps including Outlook Skype and WhatsApp.

“Combine this with the fact that LokiBot can show notifications which seem to come from other apps, containing, for example, a message that new funds have been deposited to the victim’s account and interesting phishing attack scenarios arise! The phishing notifications use the original icon of the application they try to impersonate. In addition, the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack,” SfyLabs researchers said in a blog post.

Researchers call it “The first hybrid Android malware”

Currently, LokiBot is targeting Android devices running on version 4.0 or later but its capability of stealing data is not limited to apps mentioned above. LokiBot can also steal contact details from a targeted devices, read and send SMS messages, spread itself by spamming the contact list, send victim’s browser history to command and control center and most importantly, its capable of turning itself into ransomware if the victim decides to remove the malware.

“To top it off there is an option to lock the phone preventing the user from accessing it,” researchers added.

It does it by locking the device, encrypting all of its files and demanding a ransom of $70 – $100 in Bitcoin within 48 hours. The ransomware note threatens victims that their “phone is locked for viewing child pornography” and displays links to websites from where the payment can be sent to cybercriminals.

This malware turns itself into ransomware if you try to remove it
Screenshot of the ransom note (Credit: SfyLabs)

Researchers also noticed that the BTC addresses provided by cybercriminals to send the ransom payments already had transactions worth 1.5 million dollars in BTC. However, it is very unlikely that the actors behind this malware have gained this amount of money using only LokiBot.

Android users are urged not to download third-party apps or unnecessary apps on their device. Moreover, install a reliable mobile security product. As for LokiBot, the full list of apps targeted by this malware is available here.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.