Skip to content

LokiBot

Banking trojan with a ransomware failsafe. Discovered by SfyLabs (now ThreatFabric) in 2017 and sold on underground forums for $2,000 in Bitcoin. When a victim attempted to remove Device Admin privileges, LokiBot activated a ransomware module that locked the device and attempted to encrypt files. The ransomware component was buggy and only renamed files rather than encrypting them. CISA issued advisory AA20-266A about LokiBot in 2020 due to continued prevalence.

Overview

Property Value
First Seen Early 2017
Type Banking trojan with ransomware fallback
Attribution Underground forum sale ($2,000 BTC)
Aliases Trojan-Banker.AndroidOS.Loki (Kaspersky)

Not the Windows LokiBot

The Android LokiBot is distinct from the Windows LokiBot information stealer, despite sharing a name.

Distribution

Sold on underground forums. Distributed via phishing SMS, malicious links, and third-party app stores. 30-40 active botnets with 100-2,000 bots each observed by mid-2017.

Capabilities

Capability Implementation
Overlay attacks Fake login screens over banking apps, Skype, Outlook, WhatsApp
Phishing notifications Used original app icons with device vibration to draw attention
SMS interception 2FA bypass
SOCKS5 proxy Traffic redirection through victim device
Contact harvesting Exfiltrated device contacts
Ransomware trigger Activated on Device Admin removal attempt (buggy: renamed files instead of encrypting)

Ransomware Behavior

The ransomware module was a failsafe against removal:

  1. User attempts to revoke Device Admin privileges
  2. LokiBot detects the revocation attempt
  3. Ransomware module activates, locking the device
  4. File "encryption" attempts (buggy implementation only renames files)

This dual banking-trojan-plus-ransomware model was relatively unique. Most subsequent families specialized in one or the other.

Family Relationship
MysteryBot 2018 successor using same C2 infrastructure, designed for Android 7/8 compatibility

References