In February 2016, the specialists of “Doctor Web” reported on the family malware Android.Loki, which attacks the device running Android. An interesting feature was found several Trojans was that they work together, thereby getting a wide range of functionality.
Now experts have warned about a new version of Android.Loki, which is also embedded in the processes of different applications, including the system, but now it infects libraries of the Android OS.
the Malware got the Android ID.Loki.16.origin, and it still is a multi-component Trojan. Infection occurs in several stages. Android.Loki.16.origin falls on the victim device due to the fact that it is loaded with other malicious programs. Then Trojan starts up, connects to the command and control server and downloads a malicious component Android.Loki.28 and a few exploits to obtain root access. All these files are saved in the working directory of the Trojan. Further, malware alternately performs exploits beyond the successful raising of system privileges runs the Android module.Loki.28.
This module mounts the /system partition on the record, getting the opportunity to make changes to system files. It then extracts itself from additional Android malware components.Loki.26 and Android.Loki.27 and places them in the system directory /system/bin/ and /system/lib/. After malware implements one of the system libraries dependency from the component Android.Loki.27, which binds to the library and starts every time when its uses operating system. In the images below is an example of the changes performed by the malware.
in addition, Android.Loki.27 launches the malicious module Android.Loki.26, the start of which is only of system processes running as root. So the module gets an opportunity imperceptibly to download, install and delete apps. With the help of this module the attacking load on Android devices are not only other malware, but adware or harmless FOR, receiving income from displaying annoying ads or cheat counter installations of certain applications.
Experts of “Doctor Web” warned that the removal of this malware is not an easy task. Attempt to remove the Android module.Loki.27 damage the infected device, since the module modifies the system components. That is, the next time the OS can’t boot normally because you will not find in the modified library dependency corresponding to the Trojan. To restore the system, the device will have to reflash.