The LokiBot Android Trojan was first seen in February 2016 and is considered one of the first instance where malware could infect devices and settle inside the core Android operating system processes. LokiBot used this as an anti-detection technique to go undetected longer and carry out operations with root privileges. The Trojan has the capability to steal various content from the device, disable notifications, intercept communications, and exfiltrate data. In December 2016, researchers discovered a new variant of LokiBot that targets Android operating systems’ core libraries. The infection process changed to yield better results in anti-detection and avoid blacklisting by security companies. LokiBot infects users when they install malicious apps from third-party app stores. The apps contain an exploit to elevate the malware’s privileges. The February 2016 version targets the native Android “system_server” and the December variant modifies a native system library and loads one of the Trojan’s components. The main purpose of LokiBot is to display unwanted ads. You can remove LokiBot by reinstalling the entire operating system.


  • February 2016: Trojan infects Android system process, gets root privileges. (Softpedia)

  • December 2016: Loki Trojan infects Android libraries and system process to gain root privileges. (Bleeping Computer)

  • March 2017: Loki malware found pre-installed on Android devices. (Check Point)

  • May 2017: A new variant designed to steal credentials from several popular browsers is being spread via a PDF file purportedly sent to the user through Dropbox. (Fortinet)

  • October 2017: LokiBot Turns Into Ransomware When You Try to Remove It. (Bleeping Computer)

  • February 2018: Attack Using Windows Installer msiexec.exe leads to LokiBot. (Trend Micro)

  • June 2019: LokiBot is being distributed in a malspam campaign using attached ISO image file attachments. (SecurityWeek)

  • August 2019: Lokibot malware has been upgraded to obscure its source code within image files, a technique known as steganography, and has been spreading via phishing emails attachments. (ZDNet)

Technical Details

  • Dr. Web provides technical details on the Loki Trojan, here.

Android MalwareNJCCICLoki