Dangerous Android Banking Trojan “LOKIBOT” has distributed around the world with sophisticated Ransomware future and demanding around $70 and $100 from compromised victims.
Based on the BTC Address that has been used in source code, this Ransomware already infected many victims and earned more than $1.5 Million around the world.
It uses Phishing overlay attack with many Banking apps and other most papular apps such as Skype, Outlook and WhatsApp and activated when victims disable the administrative rights of the malware or try to uninstall it.
This Ransomware also sold as a kid with full license cost including updates costs $2000 in BTC.
How Does This Android Ransomware Works
Lokibot Ransomware Designed to work on 4.0 and higher android versions and also have the capability to steal the victim’s contact information also it has the ability to read and send the SMS.
Its provide a special Command to spam all the compromised victim’s contacts to spreading the Malware variant.
According to SfyLabs , LokiBot also has some more unique features. For one it has the ability to start the victim’s browser app and open a given web page. Additionally, it implements SOCKS5, can automatically reply to SMS messages and it can start a user’s banking application.
Later Lokibot will show the notification that comes from other apps which contain the information that new funds have transferred to your bank account and its impersonate as an original icon of the application.
Later the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack.
After this infection, Victims will infect by the Ransomware if the infected victims will try to remove LokiBot from the infected device by revoking its administrative rights.
At this Final stage of infection, it starts searching for all files and directories in the primary shared or external storage directory (traditionally the SD card) and encrypts them using AES.
The key is generated randomly under default AES/ECB/PKCS5 padding and 128-bit key size and finally demand to pay Bitcoins to decrypt your files.
If Encryption part fails for some reasons still the screen locker works and will lock the victim’s screen using the administrative permissions it has gained from the user when the malware was first started.
Later a threat is then shown on the screen as “Your phone is locked for viewing child pornography.” The payment amount varies between $70 and $100. The Bitcoin addresses of LokiBot are hardcoded in the APK and can’t be updated from C2 server.
Since early this summer we have seen at least 30 to 40 samples with bot counts varying between 100 to 2000 bots. We believe that the actors behind LokiBot are successful, based on their BTC traffic and regular bot updates. syfLabs said.
SAMPLE HASHES
be02cf271d343ae1665588270f59a8df3700775f98edc42b3e3aecddf49f649d
1979d60ba17434d7b4b5403c7fd005d303831b1a584ea2bed89cfec0b45bd5c2
a10f40c71721668c5050a5bf86b41a1d834a594e6e5dd82c39e1d70f12aadf8b
5c1857830053e64082d065998ff741b607186dc3414aa7e8d747614faae3f650
cd44705b685dce0a6033760dec477921826cd05920884c3d8eb4762eaab900d1
bae9151dea172acceb9dfc27298eec77dc3084d510b09f5cda3370422d02e851
418bdfa331cba37b1185645c71ee2cf31eb01cfcc949569f1addbff79f73be66
a9899519a45f4c5dc5029d39317d0e583cd04eb7d7fa88723b46e14227809c26
6fb961a96c84a5f61d17666544a259902846facb8d3e25736d93a12ee5c3087c
c9f56caaa69c798c8d8d6a3beb0c23ec5c80cab2e99ef35f2a77c3b7007922df
39b7ff62ec97ceb01e9a50fa15ce0ace685847039ad5ee66bd9736efc7d4a932
78feb8240f4f77e6ce62441a6d213ee9778d191d8c2e78575c9e806a50f2ae45
a09d9d09090ea23cbfe202a159aba717c71bf2f0f1d6eed36da4de1d42f91c74
f4d0773c077787371dd3bebe93b8a630610a24d8affc0b14887ce69cc9ff24e4
18c19c76a2d5d3d49f954609bcad377a23583acb6e4b7f196be1d7fdc93792f8
cda01f288916686174951a6fbd5fbbc42fba8d6500050c5292bafe3a1bcb2e8d
7dbcecaf0e187a24b367fe05baedeb455a5b827eff6abfc626b44511d8c0029e
BITCOIN WALLETS
19tUaovjwW5FSUfmXuECFKn7aA5hXTvqUr
191JVE2XxLEwxZYp4j7atzsoDJ3xZEkgRC
1139UN4Xd6Y9748fRhCxQMTxdfD3Eq3qTf
