According to SfyLabs researchers, the malware is more banking trojan than ransomware and is used for this purpose primarily. Just like similar Android banking trojans, LokiBot works by showing fake login screens on top of popular apps. LokiBot targets mobile banking apps by design, but also popular non-banking apps such as Skype, Outlook, and WhatsApp.
LokiBot has its own unique features compared to other Android banking trojans. For starters, it can open a mobile browser and load an URL and will install a SOCKS5 proxy to redirect outgoing traffic. It can also automatically reply to SMS messages and send SMS messages to all of the victims contacts, a feature most likely used to send SMS spam and infect new users.
LokiBot can also show fake notifications disguised as coming from other apps. The malware uses this feature to scam users into thinking they have received money in their bank account and open the mobile banking app. When the user taps the notification, Lokibot shows the phishing overlay instead of the real app.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now