Try to Remove This Malware, and It Will Turn Itself into a Ransomware…

When a malware strikes you, what would be your first thought about? You’d definitely think about removing the malware. But here comes a malware that you shouldn’t think about removing, because you try removing it and it gets even more dangerous. It changes into a ransomware and causes more damage to you…

Security researchers at Sfy Labs have detected a new Android malware, dubbed LokiBot, which turns itself into a ransomware when an attempt is made to remove it.

Bleeping Computer reports- “Security researchers have spotted a new Android banking trojan named LokiBot that turns into ransomware and locks users’ phones when they try to remove its admin privileges. The malware is more banking trojan than ransomware — according to SfyLabs researchers, the ones who discovered it — and is used for this purpose primarily.”

The malware has been in the news for the past few months and the people behind it were engaged in adding new features to it all the while. A report published by HackRead says- “The malware has been in the news since June this year, but since its developers keep coming up with additional features, it has become a quite nasty piece of malware stealing personal and financial information from tons of banking apps and other popular apps including Outlook Skype and WhatsApp.”

LokiBot, as per researchers, thus happens to be “the first hybrid Android malware”. SfyLabs researchers have explained things in a detailed blog post– “The ransomware stage is activated when victims disable the administrative rights of the malware or try to uninstall it. Besides the automatic activation of the ransomware module the bot also has a “Go_Crypt” command, enabling the actors to trigger it.”

The Sfy Labs researchers explain the characteristics of the malware and how it works. They explain that LokiBot works on Android 4.0 and higher and can steal victims’ contacts, read and send SMS messages, spam contacts with SMS messages to spread the infection and upload victims’ browser history to the C2. It could also lock users’ phones, preventing total access of the device. LokiBot also has the ability to start the victims’ browser app and open a given web page. It could also implement SOCKS5, automatically reply to SMS messages and start the users’ banking apps as well. It could also show notifications that seem to be coming from other apps and which can be used as phishing notifications. The most confusing this about this feature is that this is done by using the original icon of the application that’s being impersonated. The malware also makes the phone vibrate when such a notification comes, thereby making the user take notice of the message and tap the notification, which in turn triggers an overlay attack.

Sfy Labs also explains the ransomware capabilities of LokiBot- “This ransomware triggers when you try to remove LokiBot from the infected device by revoking its administrative rights. It won’t go down without a fight and will encrypt all your files in the external storage as a last resort to steal money from you, as you need to pay Bitcoins to decrypt your files.”

The HackRead report explains how LokiBot works as a ransomware, preventing access to the device- “It does it by locking the device, encrypting all of its files and demanding a ransom of $70 – $100 in Bitcoin within 48 hours. The ransomware note threatens victims that their “phone is locked for viewing child pornography” and displays links to websites from where the payment can be sent to cybercriminals.”

Experts opine that Android users should not download third-party apps or unnecessary apps on their device. They should also go for a trusted, effective security product to protect their devices.