1. Introduction

The Android malware LokiBot – not to be confused with the Windows trojan of the same name – has lot’s of mean-spirited features. One of these features is to reset the device PIN to a new value. The value is „hard coded“. A friend of yours got infected. Help him to find out to what his PIN was set to.

2. Analysis

First I’ll open the lokibot.apk file wit jadx-gui.

The code structure and code seems to be deobfuscated and very confusing. Two classes catched my attention:

1. Scrynlock = Screenlock ???
2. resetPassword

Let’s have a look on that code:

package fsdfsdf.gsdsfsf.gjhghjg.lbljhkjblkjblkjblkj;

public class e {
    public static String fsafsdfsfsdfsfsdfsd(String str) {
        int length = str.length();
        char[] cArr = new char[length];
        int i = length - 1;
        int i2 = i;
        while (i >= 0) {
            int i3 = i2 - 1;
            cArr[i2] = (char) (str.charAt(i2) ^ 20);
            if (i3 < 0) {
                break;
            }
            i = i3 - 1;
            cArr[i3] = (char) (str.charAt(i3) ^ 'p');
            i2 = i;
        }
        return new String(cArr);
    }
}

If we folow the resetPassword routine we get this nice little piece of code here:

I’ve no plan what the code does at the moment. I put that code in a online java compiler and append the following lines:

public static void main(String[] args) {
       System.out.println(fsafsdfsfsdfsfsdfsd("d\"d\"d\"d\"d\"d\""));

Let’s run the code and see what we get:

Huh, the output looks like the mark of the beast! I’m slightly confused if this is the correct solution, but it fitts the character of a devilish malware! 😀