Android Ransomware

Dangerous Android Banking Trojan “LOKIBOT” has distributed around the world with sophisticated Ransomware future and demanding around $70 and $100 from compromised victims.

Based on the BTC Address that has been used in source code, this Ransomware already infected many victims and earned more than $1.5 Million around the world.

It uses  Phishing overlay attack with many Banking apps and other most papular apps such as  Skype, Outlook and WhatsApp and activated when victims disable the administrative rights of the malware or try to uninstall it.

This Ransomware also sold as a kid with full license cost including updates costs $2000 in BTC.

How Does This Android Ransomware Works

Lokibot Ransomware Designed to work on 4.0 and higher android versions and also have the capability to steal the victim’s contact information also it has the ability to read and send the SMS.

Its provide a special Command to spam all the compromised victim’s contacts to spreading the Malware variant.

According to SfyLabs , LokiBot also has some more unique features. For one it has the ability to start the victim’s browser app and open a given web page. Additionally, it implements SOCKS5, can automatically reply to SMS messages and it can start a user’s banking application.

Later Lokibot will show the notification that comes from other apps which contain the information that new funds have transferred to your bank account and its impersonate as an original icon of the application.

Later the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack.

After this infection, Victims will infect by the Ransomware if the infected victims will try to remove LokiBot from the infected device by revoking its administrative rights.

At this Final stage of infection,  it starts searching for all files and directories in the primary shared or external storage directory (traditionally the SD card) and encrypts them using AES.

The key is generated randomly under default AES/ECB/PKCS5 padding and 128-bit key size and finally demand to pay Bitcoins to decrypt your files.

If Encryption part fails for some reasons still the screen locker works and will lock the victim’s screen using the administrative permissions it has gained from the user when the malware was first started.

Later a  threat is then shown on the screen as “Your phone is locked for viewing child pornography.” The payment amount varies between $70 and $100. The Bitcoin addresses of LokiBot are hardcoded in the APK and can’t be updated from C2 server.


Since early this summer we have seen at least 30 to 40 samples with bot counts varying between 100 to 2000 bots. We believe that the actors behind LokiBot are successful, based on their BTC traffic and regular bot updates. syfLabs said.