New Android banking trojan malware called “LokiBot” comes with ransomware capabilities which are triggered if the user tries to disable the malware’s admin rights or when victims try to remove it. Once the ransomware feature is activated, LokiBot “encrypts” all of the victims’ data.

The malware is also capable of stealing victims’ contacts, reading and sending SMS messages and locking out users from accessing their phones. LokiBot’s main attack vector involves phishing overlays on numerous banking apps. However, the malware also targets several popular apps such as WhatsApp, Skype and Outlook.

LokiBot also comes with some unique features, such as starting a web browser app and opening up a specific webpage, automatically replying to SMS messages, starting the victims’ online banking app, as well as sending out fake notifications claiming to be from legitimate apps on the phone. “The phishing notifications use the original icon of the application they try to impersonate. In addition, the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack.”