Cybersecurity agencies warn of an alarming surge in LokiBot malware attacks.
The malware, which mainly targets Windows and Android devices, has been spreading fast over the past couple of months. Here’s what you need to know about this threat, what you can do to protect yourself, and how to deal with a LokiBot infection.
What Is LokiBot?
Also known as Lokibot, Loki PWS, and Loki-bot, this Trojan malware targets Windows and Android OS. It is designed to infiltrate systems and steal sensitive information like your usernames and passwords, cryptocurrency wallet, and other credentials.
First reported in 2015, it has become one of the most prevalent information stealers along with the sinister Emotet malware. Because of its simple interface and codebase, it is used by a broad range of cybercriminals including medium-skilled operators who are new to cybercrime.
LokiBot has evolved since its emergence in the mid-2010s. One variant even used steganography techniques to amp up obfuscation. This allowed the LokiBot strain to cloak its malicious files or hide its source codes in image files thereby evading detection and covering its tracks.
Some of Lokibot’s nefarious descendants include MysteryBot, Parasite, Xerxes, and the newest version called BlackRock.
What Is BlackRock?
First spotted in May 2020, BlackRock is a strain of malware that’s based on the previously leaked source code for Xerxes. It is a descendant of Lokibot and has been wreaking havoc during the 2020 lockdowns, attacking not just banking apps but many other Android applications.
BlackRock collects credentials on banking apps and cryptocurrency wallets. But it also targets usernames, passwords, and credit card details you type on Gmail, Amazon, Netflix, Uber, Playstation, TikTok, and more than 300 other Android apps. It uses overlays or a fake Widows pop-up that collects user credentials.
What Can Lokibot Malware Do?
Aside from using overlay techniques, LokiBot has a keylogger feature. This is designed to stealthily snatch important information by recording every key struck on your keyboard.
Once LokiBot latches onto your device, it creates a backdoor that allows a hacker to install additional payloads or other malicious software. It has even been known to send fake notifications like ones claiming that you’ve received money or funds have been deposited to your account. Once you tap the notification, it triggers an overlay with a fake login form.
On your phone, the malware can automatically reply to your SMS and send SMS messages to your contacts so it can infect other users. It normally operates undetected.
And by the time you discover it and try to remove its administrative privileges, it will refuse to go down without a fight. It will lock your device and turn into ransomware!
How Do I Get Infected With LokiBot?
LokiBot typically spreads via malicious spam with an infected attachment. Previous campaigns used attachments posing as an invoice, quotation, or order confirmation. Another LokiBot campaign used the Coronavirus pandemic to lure victims into opening the file.
A more insidious campaign used a fake downloader disguised as a launcher for Epic Games, the developer of the popular multiplayer game Fortnite. It uses Epic Games’ logo to make it look legitimate. Once you download and run the fake launcher, you’ll be infected with the malware.
How Do I Protect Myself From LokiBot?
Be careful with file attachments even those apparently sent by people you know—your friend’s computer may have been infected with malware that sends out fake emails or SMS. Give them a call to confirm if the attachment's safe.
Make sure your security suite is updated with the latest virus definitions. Install OS and software patches as soon as they are available because these will fix vulnerabilities hackers can exploit.
And since LokiBot can impersonate popular games and apps, you have to be careful with third-party services. Download apps and games from legitimate sources. Google Store is still the safest place to get Android apps but it is important to note that a few rogue apps can still slip through the cracks and evade screening. Read reviews before downloading.
What To Do if You Get Infected With LokiBot
If you suspect that this nasty malware is hiding in your device, you can remove it safely after rebooting in safe mode.
How to Remove LokiBot on a Windows Device
Windows 10 users need to learn how to boot in Safe Mode. If you are using Windows 8 or Windows 7, scroll down to item number three in our guide for when your system's down. Choose Safe Mode with Networking.
Then go to the task manager by clicking Ctrl + Shift + Esc. Go to the Processes tab and locate LokiBot and any other malicious processes; right-click on it then End Process.
You can also go to your computer’s Control Panel > Uninstall Program if you’re using Windows 7 or 8. On Windows 10, go to Settings > Apps & Features. From there, you can locate it then click Uninstall.
How to Remove LokiBot From Browsers
If you’re using Mozilla Firefox, go to Tools or click Shift + Ctrl + A, then go to Extensions, select the Lokibot related extensions from the list then click Remove. In Google Chrome, click Alt + F then go to Tools > Extensions. From there you can remove LokiBot.
You shouldn't use Internet Explorer as it isn't updated by Microsoft anymore. Nonetheless, if you are still using it, you can click Alt + T then click Manage Add-ons. Select Toolbars and Extensions and check the list on the right. When you find LokiBot, you can right-click then disable. Then click More Information > Remove.
Don’t forget to clear your cache and history to get rid of any traces of removed apps.
How to Remove LokiBot on an Android Device
To boot your Android device on Safe Mode, brush up on how to remove viruses without a factory reset.
Before uninstalling, turn off its administrative permissions or you won’t be able to remove it. To do this, go to Settings (or click the gears icon), then go to Security > Device Administrators. You’ll see a list of apps with administrative permission, and you can deactivate it there.
To uninstall, go to Settings > Apps, then you’ll see a list of all the apps on your device. Choose the malicious ones you need to remove then click Uninstall.
If you don’t want to do this manually you can use free malware removal apps like Malwarebytes Security and Bitdefender Antivirus.
To guide you through the entire process, here's a complete malware removal guide that includes what to do before and after the purge.
LokiBot Is Here to Stay
Just when you thought LokiBot’s dead, it comes back with an even more sinister strain. While it is not a particularly advanced malware, it's widespread and can still cause a lot of problems if it steals your credentials.
Most reliable antivirus (AV) software can detect LokiBot though, as long as it’s regularly updated. And because it also targets Android devices (and many use phone apps to do banking), it’s best to have AV on your phone too.