Cybersecurity firm Kaspersky Lab has intercepted a new Trojan on Android capable of spreading itself in new forms to steal login credentials. Even if potential victims will be able to keep the program at bay initially, it can mutate itself into a ransomware and grab them by the neck, accusing users of viewing child pornography.

Kaspersky has identified the malicious computer program as LokiBot. It attacks victims through banking apps in two different levels--as a Trojan and as a ransomware, says the company in a blog post published on Thursday, November 2.

LokiBot as Trojan

On the first level as a Trojan, LokiBot will copy the interface of a mobile banking app or any other apps like Skype, WhatsApp and Outlook. Once it gets a foothold on the device's screen, it will trigger a fake notification supposedly coming from the apps it simulates that funds have been transferred to the victim's account. This bogus alert even vibrates the phone, making it seem like a legitimate notification.

This is where it gets tricky: When the victim goes straight to the subject app and put in login details to check the said fund transfer. Chances are, those pieces of information have now been signed over to the servers of the attacker's behind the Trojan.

Once the device gets infected, LokiBot becomes a more powerful program with its new abilities to launch a web browser, navigate to pages and even send spam messages, which is how it primarily multiplies and distributes itself. Granted those new functions, the Trojan can now steal money from its victims.

LokiBot does not end there, however. It can send malicious SMS to all contacts of the infected device to further propagate itself. If the victim tries to remove the program, LokiBot will attempt to ask for the administrator rights so it could pilfer from the bank account. If the device owner denies it, LokiBot will morph into its alter ego--a ransomware.

LokiBot as ransomware

Like what all other ransomware usually does, LokiBot will lock down the infected phone and banner a message accusing the owner of watching child pornography. That is illegal, of course. To bring the device back to its normal state and unlock it, attackers will ask for US$100 in Bitcoin.

How to remove LokiBot

In this case, the best thing the victim can do is just to reboot the device in safe mode. This way, the administrator rights obtained by LokiBot will be removed and the Trojan will eventually be deleted.

Kaspersky suggests to owners with devices running Android 4.4. to 7.1 to press and hold the power button to trigger the necessary menu. Tap and hold Power off or Disconnect power source. The Turn on safe mode menu should pop up, then click OK. Wait for the device to reboot.

According to the company, LokiBot creators have already earned a dishonest buck from this trade to the tune of US$1.5m.

"And with LokiBot available on the black market for a mere $2,000, it is likely that the criminals responsible have repaid their investment many times over," writes the post.