LokiBot: An info-stealer malware

LokiBot is an info-stealer malware that was first detected in February 2016. LokiBot targets Android systems and its capabilities include stealing credentials, disabling notifications, intercepting communications, and exfiltrating data.


Four different versions of LokiBot


Four different versions of LokiBot was spotted infecting Android systems which include Android.Loki.1.origin, Android.Loki.2.origin, Android.Loki.3, and Android.Loki.6.

  • Android.Loki.3 is the primary component that gains root privileges and loads the Android.Loki.2.origin.
  • Android.Loki.2.origin collects system information such as OS version, device model and serial number, Mac address, IMEI, IMSI, MCC, and MNC identifiers on each infected device.
  • Android.Loki.2.origin also has spyware capabilities and can also gather the list of current applications, browser history, contact list, call history, and the phone's current geographical location.
  • The collected information is sent to the C&C server and if the targeted device seems to be valuable, the Android.Loki.1.origin downloads files from the Google Play store or third-party app stores.
  • Android.Loki.1.origin can install apps as well as delete apps and display rogue notifications on the infected device.

LokiBot infects Android core libraries


In December 2016, a new version of LokiBot was spotted infecting the Android OS libraries. This new variant modifies a native system library and adds an extra dependency that loads one of the LokiBot’s three components which included libz.so, libcutils.so, and liblog.so.


LokiBot infects 36 Android devices


In March 2017, LokiBot was spotted infecting almost 36 Android devices. The malware was pre-installed on these devices. The infected devices include ZTE x500, Oppo N3, Oppo R7 plus, Vivo X6 plus, 5 Asus Zenfone 2, LenovoS90, Lenovo A850, Xiaomi Redmi, Xiaomi Mi 4i, LG G4, Galaxy S7, Galaxy S4, Galaxy A5, Galaxy Note series - 2, 3, 4, 5, 8.0, and Galaxy Edge.


LokiBot steals passwords from hundreds of software tools


LokiBot was observed stealing credentials from over 100 software tools via PDF file. The targeted browsers and software tools include Mozilla Firefox, Safari, 1Password and other password managers, file manager software, and a host of other programs.


LokiBot turned into ransomware


In October 2017, LokiBot was spotted exhibiting ransomware behavior. LokiBot was sold on underground hacking forums for $2000. It works on Android versions 4.0 and later and requires admin privileges. If users find anything suspicious and try to remove its admin privileges, LokiBot locks users’ devices with a ransom note asking between $70 and $100.


LokiBot targets corporate mailboxes


In August 2018, LokiBot targeted corporate mailboxes via phishing emails and spam messages. The phishing emails included a ISO file attachment which when opened downloads and executes the LokiBot trojan. The Trojan then steals passwords from browsers, messaging applications, mail and FTP clients, as well as cryptocurrency wallets.


In a recent report on ’How malware traverses enterprise you network without you even knowing about it’ published by Gigamon, researchers noted LokiBot as one of the most prolific malware with almost 11.6% of observed samples in 2018 and a fairly high success rate throughout 2018.