LokiBot is silently causing harm to Android devices that it has infected without user knowledge since 2016. It is a trojan designed to steal information from the user, an espionage-like software causing users to lose their login credentials for various web services. The people behind it are very motivated, given that they continue to “improve” LokiBot in order to deepen its probe against the infected device. LokiBot targets are widely known to steal information from FTP clients, Web browsers, SSH clients such as PuTTY, etc. The person who develops the original LokiBot is called lokistov. Lokistov began selling LokiBot at a hacking forum for just $300. After that, a new version was created one after another, for the purpose of being sold on the dark web. It is cheap for anyone to buy at $80 per copy.
“The nickname of the vendor was lokistov or Carter, a known user in many underground forums and its contact email were firstname.lastname@example.org or email@example.com. It was possible to buy a LokiBot sample for a minor price, about $80. That is because there were many actors distributing this malware, maybe because it was said that LokiBot malware code was leaked,” explained a researcher named d00rt in his GitHub page.
This malware has a function “Decrypt3DESstring”. LokiBot decrypts the string encrypted with Triple DES using “Decrypt 3 DES List” and obtains the URL of C & C server. It is an addition feature not found in the original version LokiBot. The modified LokiBot has been modified so that “Decrypt3DESstring” is not a string type encrypted with triple DES, but a result decrypted by XOR encrypted string type.
Because the string type was encrypted with XOR, anyone can use the HEX editor to easily change the URL of the C & C server to which the information is sent , because the modified version of LokiBot was encrypted. The intention of LokiBot original version developer to put the URL of C & C server into string type encrypted with XOR which is inferior in safety compared with triple DES remains unknown. LokiBot variants that are sold at a low price on the dark web are said to have similar functions.
“The newest LokiBot samples are patched. There is a new section called “x” where is a xored url. Keeping that in mind, it would be very easy to create a builder, for creating LokiBot samples with a new control panel and sell it. You could change the xored url with another xored url using a hex editor or with a simple script. There exist a builder in the underground forums which is able to create new LokiBot samples with a custom control panel,” added d00rt.
Lokistov/Carter is not a shabby virus developer; he knows what he is doing, keeping people from analyzing his malware by using encryption. It takes advantage of the startup methods provided by the operating system to keep itself from being removed from memory after a reboot of the Android device. Users are advised to only source their application from the official Google Play Store or from trusted 3rd party app store like Amazon App Store. Users also need to be sensitive when it comes to what permission to give to an app; users must deny any permission that they think the app does not need.