Loki Trojan Infects Android Libraries and System Process to Get Root Privileges

Share this…

Malware authors have released a new version of the Android Loki trojan, which can now infect native Android OS libraries after an earlier version had previously gained the capabilities to infect core operating system processes.

This trojan, named Loki, was first seen in February 2016 and was discovered by Russian antivirus vendor Dr.Web.

The trojan made quite an impact in the infosec community when it was discovered because Loki was one of the first instances where malware had found a way to infect devices and nestle right inside core Android operating system processes.

Loki used mainly for showing unwanted ads

Loki used this to its advantage because this allowed it to go undetected longer and carry out operations with the root privileges under which all core OS processes execute.

The trojan could do anything. It could steal all sorts of content from infected devices, kill notifications, intercept communications, or secretly exfiltrate data.

Despite its powers, the crooks behind Loki only used it to download other apps and show unsolicited ads.

New Loki version targets core libraries instead of system processes

Ten months later, Dr.Web security researchers announced today that they’ve come across a new and improved Loki variant, which now targets Android OS core libraries.

The infection process is very different from the original Loki version, meaning that crooks continued to work on their threat and refined the infection process for better results and to avoid blacklisting by security companies.

The similarities are that both trojans rely on witless users installing Android apps from third-party stores. These apps contain Loki and an exploit to elevate the malware’s privileges so it can tamper with core Android OS files.

The difference between the two Loki versions, the February and the December variants, is the files they targeted. The February version targeted the native Android “system_server” process.

The December variant modifies a native system library and adds an extra dependency that loads one of Loki’s three components (libz.so, libcutils.so or liblog.so). Whenever the Android OS needs the tainted library, it also loads the Loki trojan, which starts its malicious activity as root, the standard user under which all core libraries execute.


Fortunately, just like in February, this malware is currently used to show annoying ads only. If Loki would be used as part of banking trojans, ransomware, or cyber-surveillance toolkits, this malware would be a force to be reckoned with. Because Loki entangles itself deep in the Android OS files, the only way to remove the trojan is to reinstall (reflash) the entire operating system.