My library

+ Add to library



Added to the Dr.Web virus database: 2016-02-05

Virus description added:

SHA1: 4d1d840eedfb9bcfc481457f64dc5ac8644cca00

It is a Trojan for Android designed to install applications upon cybercriminals’ command and display advertisements. Android.Loki.1.origin helps it elevate its privileges if necessary.

Once launched, it collects and sends the following information:

  • IMEI identifier
  • IMSI identifier
  • MAC address
  • MCC (Mobile Country Code) identifier
  • MNC (Mobile Network Code) identifier
  • Version of the operating system
  • Screen resolution
  • Information about installed and available RAM of the device
  • Version of the operating system kernel
  • Device model
  • Device manufacturer
  • Version of the firmware
  • Serial number of the device

In return, the Trojan receives a configuration file containing such necessary information as servers addresses, which the malicious application establishes connection to, frequency of connections, and so on.

The configuration file is binary and stored in the application folder.

In specific time periods, Android.Loki.2.origin connects to the server in order to accept instructions and send the following information:

  • Version of the configuration file
  • Version of the service provided by Android.Loki.1.origin
  • Current system language
  • Country
  • Information about Google account created by the user

Android.Loki.2.origin, in turn, receives a command either to install some application, which can be also downloaded from Google Play, or to display advertisements. The user can be redirected to some website or prompted to install some software if they tap the Trojan’s notifications. Downloaded programs are installed on the device with the help of Android.Loki.1.origin.

Android.Loki.2.origin sends the following information to the command and control server:

  • List of installed applications
  • Browser history
  • List of contacts
  • Call history
  • Current location

The malicious application has the com.loki.sdk.ClientService class that helps use the Android.Loki.1.origin capabilities. A service with the same name needs to be announced in the application manifest file:

<service android:enabled=»true» android:exported="true" android:
name="com.loki.sdk.ClientService" />

Every 3 seconds, Android.Loki.1.origin checks all applications on the device. Once the Trojan finds that this service is mentioned in a manifest file belonging to one of these programs, it connects to the service using the bindService method of the Context class.

News about the Trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Doctor Web tworzy oprogramowanie antywirusowe od 1992 roku
Dr.Web cieszy się zaufaniem użytkowników na całym świecie, w ponad 200 krajach
Firma dostarcza program antywirusowy jako usługę od 2007 roku
Wsparcie techniczne 24/7

© Doctor Web
2003 — 2022

Doctor Web to rosyjski producent oprogramowania antywirusowego Dr.Web. Rozwijamy nasze produkty od 1992 roku.