LokiBot - The first hybrid Android malware

Wesley Gahr, Pham Duy Phuc, Niels Croese, October, 2017


Lately we have been seeing a new variant of Android banking malware which is well-developed and provides numerous unique features such as a ransomware module. Based on the BTC addresses that are used in the source code it seems that the actors behind this new Android malware are successful cybercriminals with over 1.5 million dollars in BTC.

Bitcoin wallet details
Bitcoin wallet details

It is very unlikely that the actors behind Android LokiBot have gained this amount of money using only LokiBot since the requested fee for ransomware is between $70 and $100 and the bot counts in the various campaigns we have seen is usually around 1000. The malware is sold as a kit. A full license including updates costs $2000 in BTC. The main attack vector of the malware is showing phishing overlays on a large amount of banking apps (often around 100) and a handful of other popular apps such as Skype, Outlook and WhatsApp. The ransomware stage is activated when victims disable the administrative rights of the malware or try to uninstall it. Besides the automatic activation of the ransomware module the bot also has a “Go_Crypt” command, enabling the actors to trigger it. The ransomware attack however does not seem to be the main focus of their campaign at the time of writing.

Malware characteristics

LokiBot, which works on Android 4.0 and higher, has pretty standard malware capabilities, such as the well-known overlay attack all bankers have. It can also steal the victim’s contacts and read and send SMS messages. It has a specific command to spam all contacts with SMS messages as a means to spread the infection. The victim’s browser history isn’t safe either, as this can be uploaded to the C2. To top it off there is an option to lock the phone preventing the user from accessing it.

LokiBot also has some more unique features. For one it has the ability to start the victim’s browser app and open a given web page. Additionally, it implements SOCKS5, can automatically reply to SMS messages and it can start a user’s banking application. Combine this with the fact that LokiBot can show notifications which seem to come from other apps, containing for example a message that new funds have been deposited to the victim’s account and interesting phishing attack scenarios arise! The phishing notifications use the original icon of the application they try to impersonate. In addition, the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack.

Another very interesting and unique feature of LokiBot is its ransomware capabilities. This ransomware triggers when you try to remove LokiBot from the infected device by revoking its administrative rights. It won’t go down without a fight and will encrypt all your files in the external storage as a last resort to steal money from you, as you need to pay Bitcoins to decrypt your files.

What’s also interesting to note is that the malware obfuscates its network traffic in the exact same way as we’ve seen in previously discovered Bankbot variants. This is probably also the reason why our great friend Nikolaos Chrysaidos (Head of Mobile Threats & Security at Avast) has reported very early stages of lokibot campaign as Bankbot.

Panel features

The C2 web panel is well rounded and has a couple of interesting features. It provides you with a built-in APK builder which allows you to customize the icon, name, build date and C2 URL, making it trivial to create numerous different samples targeting different user groups. It will also automatically generate certificate to sign each APK.

In addition to building the APK an actor can also customize all aspects of the overlays which will be shown to the victims and do advanced searches on all collected data, such as logs, history and geolocation.

Malware command and control panel
Malware command and control panel

Ransomware details

The ransomware stage is automatically activated when victims tries to remove the malware. In addition, it can be activated from the C2 by sending the “Go_Crypt” command.

Automatic ransomware activation when disabling 'device admin'

As soon as the ransomware is activated, it starts searching for all files and directories in the primary shared or external storage directory (traditionally the SD card) and encrypts them using AES. The key is generated randomly under default AES/ECB/PKCS5 padding and 128-bit key size. However, the encryption function in this ransomware utterly fails, because even though the original files are deleted, the encrypted file is decrypted and written back to itself. Thus, victims won't lose their files, they are only renamed.

Even though the encryption part fails pretty badly, the screen locker still works and will lock the victim’s screen using the administrative permissions it has gained from the user when the malware was first started. A threat is then shown on the screen: “Your phone is locked for viewing child pornography.” The payment amount varies between $70 and $100. The Bitcoin addresses of LokiBot are hardcoded in the APK and can’t be updated from C2 server.

Screen shown when the ransomware locks the phone
Screen shown when the ransomware locks the phone

Hardcoded Bitcoin address
Hardcoded Bitcoin address

Dynamic analysis evasion

The techniques used by LokiBot to prevent dynamic analysis are not very advanced, but seem to be more extensive than those used by other banking malware we have seen. Over time we see continueing improvements on this part, indicating the developer is still working on this. The following techniques are found in the latest version of LokiBot:

- Detecting Qemu files: /dev/socket/qemud, /dev/qemu_pipe, /system/lib/, /sys/qemu_trace, /system/bin/qemu-props;
- Detecting Qemu properties: init.svc.qemud, init.svc.qemu-props, qemu.hw.mainkeys;
- Detecting emulator (goldfish) drivers in /proc/tty/drivers;
- Checking installed packages for TaintDroid package org.appanalysis;
- Checking prescence of TaintDroid class dalvik.system.Taint.


Since early this summer we have seen at least 30 to 40 samples with bot counts varying between 100 to 2000 bots. We believe that the actors behind LokiBot are successful, based on their BTC traffic and regular bot updates. In fact, we have seen new features emerge in the bot almost every week which shows that LokiBot is becoming a strong Android trojan, targeting many banks and popular apps.

Targeted apps (sorted by package name)

1.    BAWAG P.S.K. (at.bawag.mbanking)
2.    Easybank (at.easybank.mbanking)
3.    ErsteBank/Sparkasse netbanking (at.spardat.netbanking)
4.    Volksbank Banking (at.volksbank.volksbankmobile)
5.    Bankwest (
6.    ING Australia Banking (
7.    NAB Mobile Banking (
8.    Suncorp Bank (
9.    ING Direct France (com.IngDirectAndroid)
10.    Raiffeisen Smart Mobile (com.advantage.RaiffeisenBank)
11.    Akbank Direkt (
12.    澳盛行動夥伴 (
13.    ANZ goMoney Australia (
14.    AOL - News, Mail & Video (
15.    Axis Mobile (
16.    Bank Austria MobileBanking (
17.    Bankinter Móvil (com.bankinter.launcher)
18.    BBVA | España (
19.    BBVA net cash | ES & PT (
20.    Bendigo Bank (
21.    Boursorama Banque (
22.    Banque (
23.    Chase Mobile (
24.    CIBC Mobile Banking:registered: (
25.    CIC (com.cic_prod.bad)
26.    Citibank Australia (
27.    Fifth Third Mobile Banking (com.clairmail.fth)
28.    Crédit Mutuel (com.cm_prod.bad)
29.    Alior Mobile (
30.    CommBank (
31.    iMobile by ICICI Bank (
32.    Meine Bank (
33.    Gumtree: Search, Buy & Sell (
34.    Facebook (com.facebook.katana)
35.    Messenger (com.facebook.orca)
36.    QNB Finansbank Cep Şubesi (
37.    La Banque Postale (
38.    Garanti Mobile Banking (com.garanti.cepsubesi)
39.    Getin Mobile (com.getingroup.mobilebanking)
40.    Google Play Games (
41.    Groupama toujours là (com.groupama.toujoursla)
42.    Lloyds Bank Mobile Banking (
43.    Halifax: the banking app that gives you extra (
44.    HSBC Mobile Banking (com.htsu.hsbcpersonalbanking)
45.    Bank of America Mobile Banking (
46.    ING-DiBa Banking + Brokerage (
47.    Raiffeisen ELBA (com.isis_papyrus.raiffeisen_pay_eyewdg)
48.    Capital One:registered: Mobile (
49.    Citi Handlowy (com.konylabs.cbplpat)
50.    Kutxabank (
51.    MACIF Assurance et Banque (
52.    Microsoft Outlook (
53.    Skrill (com.moneybookers.skrillpayments)
54.    NETELLER (com.moneybookers.skrillpayments.neteller)
55.    Crédit du Nord pour Mobile (com.ocito.cdn.activity.creditdunord)
56.    PayPal (
57.    İşCep (com.pozitron.iscep)
58.    ruralvía (com.rsi)
59.    State Bank Freedom (
60.    SBI Anywhere Personal (
61.    Skype - gratis chatberichten en video-oproepen (
62.    HDFC Bank MobileBanking (
63.    Sparkasse+ (
64.    Sparkasse (
65.    SunTrust Mobile App (com.suntrust.mobilebanking)
66.    TD Canada (
67.    Banca Móvil Laboral Kutxa (com.tecnocom.cajalaboral)
68.    Halkbank Mobil (com.tmobtech.halkbank)
69.    Bancolombia App Personas (
70.    Union Bank Mobile Banking (
71.    USAA Mobile (
72.    U.S. Bank (com.usbank.mobilebanking)
73.    VakıfBank Mobil Bankacılık (
74.    Viber Messenger (com.viber.voip)
75.    Wells Fargo Mobile (
76.    WhatsApp Messenger (com.whatsapp)
77.    Yahoo Mail Blijf georganiseerd (
78.    Yapı Kredi Mobile (
79.    Ziraat Mobil (com.ziraat.ziraatmobil)
80.    comdirect mobile App (
81.    Commerzbank Banking App (de.commerzbanking.mobil)
82.    Consorsbank (de.consorsbank)
83.    DKB-Banking (de.dkb.portalapp)
84.    VR-Banking (
85.    Postbank Finanzassistent (de.postbank.finanzassistent)
86.    SpardaApp (
87.    Popular (es.bancopopular.nbmpopular)
88.    Santander (es.bancosantander.apps)
89.    Bankia (
90.    EVO Banco móvil (es.evobanco.bancamovil)
91.    CaixaBank (
92.    Bank Pekao (eu.eleader.mobilebanking.pekao)
93.    PekaoBiznes24 (eu.eleader.mobilebanking.pekao.firm)
94.    Mobilny Bank (eu.eleader.mobilebanking.raiffeisen)
95.    HVB Mobile B@nking (eu.unicreditgroup.hvbapptan)
96.    Mon AXA (
97.    Banque Populaire (fr.banquepopulaire.cyberplus)
98.    Ma Banque (fr.creditagricole.androidapp)
99.    Mes Comptes - LCL pour mobile (
100. Mobile Banking (
101. Baroda mPassbook (
102. Maybank (
103. L'Appli Société Générale (
104. Santander MobileBanking (
105. Mes Comptes BNP Paribas (
106. BankSA Mobile Banking (
107. Bank of Melbourne Mobile Banking (
108. St.George Mobile Banking (
109. Westpac Mobile Banking (
110. BZWBK24 mobile (pl.bzwbk.bzwbk24)
111. eurobank mobile (pl.eurobank)
112. INGMobile (
113. Token iPKO (
114. mBank PL (pl.mbank)
115. IKO (pl.pkobp.iko)
116. Banca Transilvania (
117. IDBI Bank GO (
118. TSB Mobile Banking (
119. Bank Millennium (

Sample hashes


Bitcoin wallets



Request for information

Interested? We are happy to tell you more.