An Android banking trojan dubbed LokiBot turns into a ransomware when users try to remove its admin privileges in a last ditch effort to extort the user.
The malware is sold online for $2,000 worth of Bitcoin and comes with its own unique features such as the ability to open a mobile browser and load an URL and the ability to install a SOCKS5 proxy to redirect outgoing traffic, according to an Oct. 24 blog post.
The malware can also reply to SMS messages, start a user's banking application, open a given web page and show notifications which seem to come from other apps enabling phishing attacks.
Researchers said an interesting feature is the malware's ransomware capabilities.
“This ransomware triggers when you try to remove LokiBot from the infected device by revoking its administrative rights,” the post said. “It won't go down without a fight and will encrypt all your files in the external storage as a last resort to steal money from you, as you need to pay Bitcoins to decrypt your files.”
Once the ransomware is activated, it starts searching for all the files and directories in the primary shared or external storage directory and encrypts files using AES. The encryption function was described as an utter failure because even though original files are deleted, the encrypted file is decrypted and written back to itself resulting in files merely being renamed.
The screen locker function however, works and will lock the victim's screen using the administrative permissions it has gained from the user when the malware was first started.
Bleeping Computer researchers reported the screen locker can be removed by booting the device into Safe Mode and removing LokiBot's admin user permission and the LokiBot-infected app.
Researchers said Linkbot is targeting at least 119 banking and popular apps. The malware works on Android 4.0 and higher and at least 30 to 40 samples with bot counts varying between 100 to 2000 bots have been spotted in the wild since early summer 2017.
