The Loki Android Trojan was first seen in February 2016 and is considered one of the first instance where malware could infect devices and settle inside the core Android operating system processes. Loki used this as an anti-detection technique to go undetected longer and carry out operations with root privileges. The Trojan has the capability to steal various content from the device, disable notifications, intercept communications, and exfiltrate data. In December 2016, researchers discovered a new variant of Loki that targets Android operating systems’ core libraries. The infection process changed to yield better results in anti-detection and avoid blacklisting by security companies. The Loki Trojan infects users when they install malicious apps from third-party app stores. The apps contain an exploit to elevate the malware’s privileges. The February 2016 version targets the native Android “system_server” and the December variant modifies a native system library and loads one of the Trojan’s components. The main purpose of Loki is to display unwanted ads. The only way to remove Loki is to reinstall the entire operating system.


  • February 2016: Trojan infects Android system process, gets root privileges. (Softpedia)
  • December 2016: Loki Trojan infects Android libraries and system process to gain root privileges. (Bleeping Computer)
  • March 2017: Loki malware found pre-installed on Android devices. (Check Point)
  • May 2017:  A new variant designed to steal credentials from several popular browsers is being spread via a PDF file purportedly sent to the user through Dropbox. (Fortinet)

Technical Details

  • Dr. Web provides technical details on the Loki Trojan, here.