LokiBot is a banking trojan that turns into ransomware and locks users' phones when they try to remove its admin privileges. LokiBot is currently under active development, with developers adding a bundle of features over the years.
LokiBot works on Android 4.0 and higher and requires administrator privileges, which it asks during installation. If the user tries to remove its administrator privileges, LokiBot will trigger its ransomware behavior.
The ransomware routine is not implemented correctly and fails to encrypt users' files. According to SfyLabs, LokiBot's "Go_Crypt" ransomware function is supposed to lock the user's screen and encrypt files with an AES128 algorithm. Regardless of the file encryption routine, the phone's screen will get locked anyway with a ransom note asking between $70 and $100.