With each passing day, security threats are increasing. Security threats like Malware & Ransomware are becoming a daily threat.  Security researchers from SfyLabs have identified A new Android banking Trojan “LokiBot”.


The malware is more banking trojan than ransomware — according to SfyLabs researchers.

Though the malicious Android banking Trojans turns into ransomware and locks the user’s device as soon as they try to remove its admin privileges.

LokiBot Targets:


It targets mobile banking applications as well as non-banking applications like WhatsApp, Skype, Outlook and other social media apps.

The malware is also capable of stealing user’s contacts, reading and sending SMS messages and locking out users from accessing their phones.

LokiBot Capabilities:

The malware mainly works on Android version 4.0 and higher versions of the operating system. Just like other Android banking trojans, LokiBot works by showing fake login screens on top of popular apps.

If users try to remove its administrator privileges, LokiBot will trigger its ransomware behavior.


LokiBot has a unique way of hijacking the mobile’s web browser. It helps the malware to download and install the SOCKS5 proxy.

It’s able to steal your contacts, perform overlay attacks, read and send SMS messages, spam your contacts with SMS messages, and upload your browser history to criminals’ servers.

LokiBot shows fake notifications to users to confuse them and make them think that they have received money in their bank account from some unknown sources.


This can make users open the mobile banking application and login to their accounts. The moment a user taps the notification, the malware shows the phishing overlay, instead of the real application.

LokiBot Loophole:

Thankfully LokiBot cannot encrypt the user’s data completely because it is not perfect yet.

“The encryption function in this ransomware utterly fails, because even though the original files are deleted, the encrypted file is decrypted [immediately] and written back to itself,” SfyLabs says. “Thus, victims won’t lose their files, they are only renamed.”

LokiBot Threat:

However, the data may not get encrypted but the user does get locked out of their phone. In addition with a ransom note asking between $70 and $100.

showing a message: “Your phone is locked for viewing child pornography.”


Booting into Safe Mode and removing the infected app and privileges can help the user get back the access to their devices.

According to security experts at SyfLabs LokiBot have already ransomed in over $1.5m in Bitcoins.

The cybercriminals behind this LokiBot trying to sell this on the dark web to other criminals. LokiBot is currently worth about $2,000 in Bitcoin on the Dark Web.

NEXT |BlueBorne Exploit: Everything You Need To Know