{
	"id": "570a351e-a673-4c86-b476-b676879fdd3f",
	"created_at": "2026-04-06T00:17:39.024058Z",
	"updated_at": "2026-04-10T13:12:19.534064Z",
	"deleted_at": null,
	"sha1_hash": "cdd105932e648954d6a7f32715a3ae6d7ae0c9e4",
	"title": "LokiBot - The first hybrid Android malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60607,
	"plain_text": "LokiBot - The first hybrid Android malware\r\nPublished: 2024-10-01 · Archived: 2026-04-05 15:52:30 UTC\r\nLately we have been seeing a new variant of Android banking malware which is well-developed and provides\r\nnumerous unique features such as a ransomware module. Based on the BTC addresses that are used in the source\r\ncode it seems that the actors behind this new Android malware are successful cybercriminals with over 1.5 million\r\ndollars in BTC.\r\nIt is very unlikely that the actors behind Android LokiBot have gained this amount of money using only LokiBot\r\nsince the requested fee for ransomware is between $70 and $100 and the bot counts in the various campaigns we\r\nhave seen is usually around 1000. The malware is sold as a kit. A full license including updates costs $2000 in\r\nBTC. The main attack vector of the malware is showing phishing overlays on a large amount of banking apps\r\n(often around 100) and a handful of other popular apps such as Skype, Outlook and WhatsApp. The ransomware\r\nstage is activated when victims disable the administrative rights of the malware or try to uninstall it. Besides the\r\nautomatic activation of the ransomware module the bot also has a “Go_Crypt” command, enabling the actors to\r\ntrigger it. The ransomware attack however does not seem to be the main focus of their campaign at the time of\r\nwriting.\r\nMalware characteristics\r\nLokiBot, which works on Android 4.0 and higher, has pretty standard malware capabilities, such as the well-known overlay attack all bankers have. It can also steal the victim’s contacts and read and send SMS messages. It\r\nhas a specific command to spam all contacts with SMS messages as a means to spread the infection. The victim’s\r\nbrowser history isn’t safe either, as this can be uploaded to the C2. To top it off there is an option to lock the phone\r\npreventing the user from accessing it.\r\nLokiBot also has some more unique features. For one it has the ability to start the victim’s browser app and open a\r\ngiven web page. Additionally, it implements SOCKS5, can automatically reply to SMS messages and it can start a\r\nuser’s banking application. Combine this with the fact that LokiBot can show notifications which seem to come\r\nfrom other apps, containing for example a message that new funds have been deposited to the victim’s account\r\nand interesting phishing attack scenarios arise! The phishing notifications use the original icon of the application\r\nthey try to impersonate. In addition, the phone is made to vibrate right before the notification is shown so the\r\nvictim will take notice of it. When the notification is tapped it will trigger an overlay attack.\r\nAnother very interesting and unique feature of LokiBot is its ransomware capabilities. This ransomware triggers\r\nwhen you try to remove LokiBot from the infected device by revoking its administrative rights. It won’t go down\r\nwithout a fight and will encrypt all your files in the external storage as a last resort to steal money from you, as\r\nyou need to pay Bitcoins to decrypt your files.\r\nWhat’s also interesting to note is that the malware obfuscates its network traffic in the exact same way as we’ve\r\nseen in previously discovered Bankbot variants. This is probably also the reason why our great friend Nikolaos\r\nhttps://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html\r\nPage 1 of 4\n\nChrysaidos (Head of Mobile Threats \u0026 Security at Avast) has reported very early stages of lokibot campaign as\r\nBankbot.\r\nPanel features\r\nThe C2 web panel is well rounded and has a couple of interesting features. It provides you with a built-in APK\r\nbuilder which allows you to customize the icon, name, build date and C2 URL, making it trivial to create\r\nnumerous different samples targeting different user groups. It will also automatically generate certificate to sign\r\neach APK.\r\nIn addition to building the APK an actor can also customize all aspects of the overlays which will be shown to the\r\nvictims and do advanced searches on all collected data, such as logs, history and geolocation.\r\nHardcoded Bitcoin address\r\nDynamic analysis evasion\r\nThe techniques used by LokiBot to prevent dynamic analysis are not very advanced, but seem to be more\r\nextensive than those used by other banking malware we have seen. Over time we see continueing improvements\r\non this part, indicating the developer is still working on this. The following techniques are found in the latest\r\nversion of LokiBot:\r\n- Detecting Qemu files: /dev/socket/qemud, /dev/qemu_pipe, /system/lib/libc_malloc_debug_qemu.so,\r\n/sys/qemu_trace, /system/bin/qemu-props; - Detecting Qemu properties: init.svc.qemud, init.svc.qemu-props,\r\nqemu.hw.mainkeys; - Detecting emulator (goldfish) drivers in /proc/tty/drivers; - Checking installed packages for\r\nTaintDroid package org.appanalysis; - Checking prescence of TaintDroid class dalvik.system.Taint.\r\nConclusion\r\nSince early this summer we have seen at least 30 to 40 samples with bot counts varying between 100 to 2000 bots.\r\nWe believe that the actors behind LokiBot are successful, based on their BTC traffic and regular bot updates. In\r\nfact, we have seen new features emerge in the bot almost every week which shows that LokiBot is becoming a\r\nstrong Android trojan, targeting many banks and popular apps.\r\nTargeted apps (sorted by package name)\r\n1.    BAWAG P.S.K. (at.bawag.mbanking) 2.    Easybank (at.easybank.mbanking) 3.    ErsteBank/Sparkasse\r\nnetbanking (at.spardat.netbanking) 4.    Volksbank Banking (at.volksbank.volksbankmobile) 5.    Bankwest\r\n(au.com.bankwest.mobile) 6.    ING Australia Banking (au.com.ingdirect.android) 7.    NAB Mobile Banking\r\n(au.com.nab.mobile) 8.    Suncorp Bank (au.com.suncorp.SuncorpBank) 9.    ING Direct France\r\n(com.IngDirectAndroid) 10.    Raiffeisen Smart Mobile (com.advantage.RaiffeisenBank) 11.    Akbank Direkt\r\n(com.akbank.android.apps.akbank_direkt) 12.    澳盛行動夥伴 (com.anz.android) 13.    ANZ goMoney Australia\r\n(com.anz.android.gomoney) 14.    AOL - News, Mail \u0026 Video (com.aol.mobile.aolapp) 15.    Axis Mobile\r\n(com.axis.mobile) 16.    Bank Austria MobileBanking (com.bankaustria.android.olb) 17.    Bankinter Móvil\r\n(com.bankinter.launcher) 18.    BBVA | España (com.bbva.bbvacontigo) 19.    BBVA net cash | ES \u0026 PT\r\nhttps://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html\r\nPage 2 of 4\n\n(com.bbva.netcash) 20.    Bendigo Bank (com.bendigobank.mobile) 21.    Boursorama Banque\r\n(com.boursorama.android.clients) 22.    Banque (com.caisseepargne.android.mobilebanking) 23.    Chase Mobile\r\n(com.chase.sig.android) 24.    CIBC Mobile Banking:registered: (com.cibc.android.mobi) 25.    CIC\r\n(com.cic_prod.bad) 26.    Citibank Australia (com.citibank.mobile.au) 27.    Fifth Third Mobile Banking\r\n(com.clairmail.fth) 28.    Crédit Mutuel (com.cm_prod.bad) 29.    Alior Mobile (com.comarch.mobile) 30.   \r\nCommBank (com.commbank.netbank) 31.    iMobile by ICICI Bank (com.csam.icici.bank.imobile) 32.    Meine\r\nBank (com.db.mm.deutschebank) 33.    Gumtree: Search, Buy \u0026 Sell (com.ebay.gumtree.au) 34.    Facebook\r\n(com.facebook.katana) 35.    Messenger (com.facebook.orca) 36.    QNB Finansbank Cep Şubesi\r\n(com.finansbank.mobile.cepsube) 37.    La Banque Postale (com.fullsix.android.labanquepostale.accountaccess)\r\n38.    Garanti Mobile Banking (com.garanti.cepsubesi) 39.    Getin Mobile (com.getingroup.mobilebanking) 40.   \r\nGoogle Play Games (com.google.android.play.games) 41.    Groupama toujours là (com.groupama.toujoursla)\r\n42.    Lloyds Bank Mobile Banking (com.grppl.android.shell.CMBlloydsTSB73) 43.    Halifax: the banking app\r\nthat gives you extra (com.grppl.android.shell.halifax) 44.    HSBC Mobile Banking\r\n(com.htsu.hsbcpersonalbanking) 45.    Bank of America Mobile Banking (com.infonow.bofa) 46.    ING-DiBa\r\nBanking + Brokerage (com.ing.diba.mbbr2) 47.    Raiffeisen ELBA (com.isis_papyrus.raiffeisen_pay_eyewdg)\r\n48.    Capital One:registered: Mobile (com.konylabs.capitalone) 49.    Citi Handlowy (com.konylabs.cbplpat) 50.   \r\nKutxabank (com.kutxabank.android) 51.    MACIF Assurance et Banque (com.macif.mobile.application.android)\r\n52.    Microsoft Outlook (com.microsoft.office.outlook) 53.    Skrill (com.moneybookers.skrillpayments) 54.   \r\nNETELLER (com.moneybookers.skrillpayments.neteller) 55.    Crédit du Nord pour Mobile\r\n(com.ocito.cdn.activity.creditdunord) 56.    PayPal (com.paypal.android.p2pmobile) 57.    İşCep\r\n(com.pozitron.iscep) 58.    ruralvía (com.rsi) 59.    State Bank Freedom (com.sbi.SBFreedom) 60.    SBI\r\nAnywhere Personal (com.sbi.SBIFreedomPlus) 61.    Skype - gratis chatberichten en video-oproepen\r\n(com.skype.raider) 62.    HDFC Bank MobileBanking (com.snapwork.hdfc) 63.    Sparkasse+\r\n(com.starfinanz.smob.android.sbanking) 64.    Sparkasse (com.starfinanz.smob.android.sfinanzstatus) 65.   \r\nSunTrust Mobile App (com.suntrust.mobilebanking) 66.    TD Canada (com.td) 67.    Banca Móvil Laboral Kutxa\r\n(com.tecnocom.cajalaboral) 68.    Halkbank Mobil (com.tmobtech.halkbank) 69.    Bancolombia App Personas\r\n(com.todo1.mobile) 70.    Union Bank Mobile Banking (com.unionbank.ecommerce.mobile.android) 71.    USAA\r\nMobile (com.usaa.mobile.android.usaa) 72.    U.S. Bank (com.usbank.mobilebanking) 73.    VakıfBank Mobil\r\nBankacılık (com.vakifbank.mobile) 74.    Viber Messenger (com.viber.voip) 75.    Wells Fargo Mobile\r\n(com.wf.wellsfargomobile) 76.    WhatsApp Messenger (com.whatsapp) 77.    Yahoo Mail Blijf georganiseerd\r\n(com.yahoo.mobile.client.android.mail) 78.    Yapı Kredi Mobile (com.ykb.android) 79.    Ziraat Mobil\r\n(com.ziraat.ziraatmobil) 80.    comdirect mobile App (de.comdirect.android) 81.    Commerzbank Banking App\r\n(de.commerzbanking.mobil) 82.    Consorsbank (de.consorsbank) 83.    DKB-Banking (de.dkb.portalapp) 84.   \r\nVR-Banking (de.fiducia.smartphone.android.banking.vr) 85.    Postbank Finanzassistent\r\n(de.postbank.finanzassistent) 86.    SpardaApp (de.sdvrz.ihb.mobile.app) 87.    Popular\r\n(es.bancopopular.nbmpopular) 88.    Santander (es.bancosantander.apps) 89.    Bankia (es.cm.android) 90.    EVO\r\nBanco móvil (es.evobanco.bancamovil) 91.    CaixaBank (es.lacaixa.mobile.android.newwapicon) 92.    Bank\r\nPekao (eu.eleader.mobilebanking.pekao) 93.    PekaoBiznes24 (eu.eleader.mobilebanking.pekao.firm) 94.   \r\nMobilny Bank (eu.eleader.mobilebanking.raiffeisen) 95.    HVB Mobile B@nking (eu.unicreditgroup.hvbapptan)\r\n96.    Mon AXA (fr.axa.monaxa) 97.    Banque Populaire (fr.banquepopulaire.cyberplus) 98.    Ma Banque\r\n(fr.creditagricole.androidapp) 99.    Mes Comptes - LCL pour mobile (fr.lcl.android.customerarea) 100. Mobile\r\nBanking (hr.asseco.android.jimba.mUCI.ro) 101. Baroda mPassbook (in.co.bankofbaroda.mpassbook) 102.\r\nhttps://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html\r\nPage 3 of 4\n\nMaybank (may.maybank.android) 103. L’Appli Société Générale (mobi.societegenerale.mobile.lappli) 104.\r\nSantander MobileBanking (mobile.santander.de) 105. Mes Comptes BNP Paribas (net.bnpparibas.mescomptes)\r\n106. BankSA Mobile Banking (org.banksa.bank) 107. Bank of Melbourne Mobile Banking (org.bom.bank) 108.\r\nSt.George Mobile Banking (org.stgeorge.bank) 109. Westpac Mobile Banking (org.westpac.bank) 110. BZWBK24\r\nmobile (pl.bzwbk.bzwbk24) 111. eurobank mobile (pl.eurobank) 112. INGMobile (pl.ing.ingmobile) 113. Token\r\niPKO (pl.ipko.mobile) 114. mBank PL (pl.mbank) 115. IKO (pl.pkobp.iko) 116. Banca Transilvania\r\n(ro.btrl.mobile) 117. IDBI Bank GO (src.com.idbi) 118. TSB Mobile Banking (uk.co.tsb.mobilebank) 119. Bank\r\nMillennium (wit.android.bcpBankingApp.millenniumPL)\r\nSample hashes\r\nbe02cf271d343ae1665588270f59a8df3700775f98edc42b3e3aecddf49f649d\r\n1979d60ba17434d7b4b5403c7fd005d303831b1a584ea2bed89cfec0b45bd5c2\r\na10f40c71721668c5050a5bf86b41a1d834a594e6e5dd82c39e1d70f12aadf8b\r\n5c1857830053e64082d065998ff741b607186dc3414aa7e8d747614faae3f650\r\ncd44705b685dce0a6033760dec477921826cd05920884c3d8eb4762eaab900d1\r\nbae9151dea172acceb9dfc27298eec77dc3084d510b09f5cda3370422d02e851\r\n418bdfa331cba37b1185645c71ee2cf31eb01cfcc949569f1addbff79f73be66\r\na9899519a45f4c5dc5029d39317d0e583cd04eb7d7fa88723b46e14227809c26\r\n6fb961a96c84a5f61d17666544a259902846facb8d3e25736d93a12ee5c3087c\r\nc9f56caaa69c798c8d8d6a3beb0c23ec5c80cab2e99ef35f2a77c3b7007922df\r\n39b7ff62ec97ceb01e9a50fa15ce0ace685847039ad5ee66bd9736efc7d4a932\r\n78feb8240f4f77e6ce62441a6d213ee9778d191d8c2e78575c9e806a50f2ae45\r\na09d9d09090ea23cbfe202a159aba717c71bf2f0f1d6eed36da4de1d42f91c74\r\nf4d0773c077787371dd3bebe93b8a630610a24d8affc0b14887ce69cc9ff24e4\r\n18c19c76a2d5d3d49f954609bcad377a23583acb6e4b7f196be1d7fdc93792f8\r\ncda01f288916686174951a6fbd5fbbc42fba8d6500050c5292bafe3a1bcb2e8d\r\n7dbcecaf0e187a24b367fe05baedeb455a5b827eff6abfc626b44511d8c0029e\r\nBitcoin wallets\r\n19tUaovjwW5FSUfmXuECFKn7aA5hXTvqUr 191JVE2XxLEwxZYp4j7atzsoDJ3xZEkgRC\r\n1139UN4Xd6Y9748fRhCxQMTxdfD3Eq3qTf\r\nSource: https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html\r\nhttps://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html"
	],
	"report_names": [
		"lokibot_the_first_hybrid_android_malware.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434659,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cdd105932e648954d6a7f32715a3ae6d7ae0c9e4.pdf",
		"text": "https://archive.orkl.eu/cdd105932e648954d6a7f32715a3ae6d7ae0c9e4.txt",
		"img": "https://archive.orkl.eu/cdd105932e648954d6a7f32715a3ae6d7ae0c9e4.jpg"
	}
}