Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to news

Doctor Web discovers new version of Android.Loki Trojans that infects system libraries

December 9, 2016

Doctor Web’s security researchers have found a new representative of the Android.Loki family of Trojans, malware we first reported on in February 2016. Like the previous versions, this Trojan injects itself into processes of various applications, including system-related ones; however, this version can also infect Android libraries.

The Trojan, dubbed Android.Loki.16.origin, is a multi-component malware program that covertly downloads and installs software on Android devices. The infection process involves several steps.

First, other malicious programs download and run Android.Loki.16.origin on a mobile device. Then the Trojan connects to a command and control server and downloads the additional component Android.Loki.28; it also downloads several exploits so that it can get root privileges. All the files are stored in the Trojan’s folder. Android.Loki.16.origin executes the exploits one by one, and once its privileges have been elevated, it runs the module Android.Loki.28.

Once launched, Android.Loki.28 mounts the section /system so that a writing process can make changes to system files. It then extracts the additional malicious components Android.Loki.26 and Android.Loki.27 from its body and saves them to the system catalogs /system/bin/ and /system/lib/, respectively. The Trojan then injects a dependency from Android.Loki.27 into one of the system libraries. Once the library is modified, Android.Loki.27 ties itself to it and is run every time the operating system uses the library. Figures below show an example of changes performed by the Trojan:

Doctor Web discovers new versions of Android.Loki that infect system libraries #drweb Doctor Web discovers new versions of Android.Loki that infect system libraries #drweb

Once Android.Loki.27 starts operating, it runs Android.Loki.26 solely from system processes that use root privileges. Thus, Android.Loki.26 acquires elevated permissions and can covertly download not only malware programs, but also advertising modules and benign applications, generating illegal income from advertising and increasing download statistics.

Since Android.Loki.27 modifies system components, its deletion can render a device non-operational. When switched on again, the Android operating system won’t boot up normally because it won’t be able to find the dependency from the Trojan in the modified library. For the device to work normally again, its firmware has to be updated, a process that will delete all personal files. Before performing the update, the device owner should create back-up copies of all their important data and, if possible, contact a technical support specialist.

Dr.Web for Android successfully detects all the known Trojans belonging to the Android.Loki family, so they do not pose any threat to our users.

More about this Trojan

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124