February 5, 2016
The pack consists of three associated Trojans dubbed Android.Loki.1.origin, Android.Loki.2.origin, and Android.Loki.3 respectively. The first one is launched with the help of the liblokih.so library that Dr.Web for Android detects as Android.Loki.6. Android.Loki.3 incorporates it into one of system processes—thus, Android.Loki.1.origin gains the system privileges. Android.Loki.1.origin is a service that can perform a wide variety of functions. For example, it can download any application from Google Play using a special link that indicates a user account of some affiliate program focused on generating income. Android.Loki.1.origin can also
- Download and delete applications
- Enable and disable applications and their components
- Kill processes
- Display notifications
- Register any application as the Accessibility Service application
- Update its components and download plug-ins from the server
The second component of this pack—Android.Loki.2.origin—installs different applications on the infected device and displays advertisements. However, it also acts as a spyware program as it collects and sends the following information:
- IMEI identifier
- IMSI identifier
- MAC address
- MCC (Mobile Country Code) identifier
- MNC (Mobile Network Code) identifier
- Version of the operating system
- Screen resolution
- Information about installed and available RAM of the device
- Version of the operating system kernel
- Device model
- Device manufacturer
- Version of the firmware
- Serial number of the device
Once the information is sent to the server, the Trojan receives a configuration file necessary for its operation. In specific time periods, Android.Loki.2.origin connects to the server in order to accept instructions and send the following information:
- Version of the configuration file
- Version of the service provided by Android.Loki.1.origin
- Current system language
- Country
- Information about Google account created by the user
Android.Loki.2.origin, in turn, receives a command either to install some application, which can be also downloaded from Google Play, or to display advertisements. A user can be redirected to some website or prompted to install some software if they tap the Trojan’s notifications. Upon a command from cybercriminals, Android.Loki.2.origin sends the information concerning
- List of installed applications
- Browser history
- List of contacts
- Call history
- Current location
Finally, Android.Loki.3 can incorporate the liblokih.so library into the system_server process and execute commands from other Trojans of the Android.Loki family using root privileges. Thus, Android.Loki.3 is, in fact, a server that launches shell scripts—the Trojan receives a path to a script which needs to be executed, and Android.Loki.3 launches this script.
The Android.Loki Trojans store some of their components in Android system folders, which Dr.Web cannot access. Therefore, if you want to eliminate consequences of the infection, you should reflash your device using an original image of the operating system. However, before that, you need to create a backup copy of all important information stored on your device. Inexperienced users are recommended to contact a specialist.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments