- 859
- 236
Experts from Zimperium have discovered a new Android malware called DroidLock . The malware locks the victim's device screen and demands a ransom to unlock it. It also gains full control of the device via VNC and accesses SMS messages, call logs, and contacts. It can also record audio and even erase data.
According to the researchers, DroidLock targets Spanish-speaking users and is distributed through malicious websites disguised as legitimate apps. Infection begins with a dropper app, which tricks the victim into installing the main payload, which then requests Device Admin and Accessibility Services permissions. With these permissions, the malware can do anything it wants: lock the device, change the PIN, password, or biometrics, preventing the owner from accessing their device.
DroidLock supports 15 different commands, including sending notifications, adding a screen overlay, muting, resetting the device to factory settings, launching the camera, and uninstalling apps.
Experts report that the ransomware window launches via a WebView overlay immediately after receiving a corresponding signal from the command and control server. The victim is instructed to contact the malware operators via a Proton Mail address. If payment is not made within 24 hours, the attackers threaten to destroy files on the device.
Experts clarify that DroidLock does not encrypt data—it simply threatens to delete it unless the ransom is paid. Furthermore, the attackers can block access to the device by changing the unlock code.
It is also noted that DroidLock is even capable of stealing the pattern lock (using another overlay loaded from the malicious APK). When the user draws a pattern in the cloned interface, all data is immediately transmitted to the attackers. This malicious functionality is used to remotely access the device via VNC when the owner is not using it.
Researchers have already shared all data on the new threat with Android Security specialists, so Play Protect is now able to detect and block DroidLock on updated devices.
The specialists remind people not to install APKs from third-party sources unless they are trusted. It's also important to carefully check the permissions the app requests and whether they correspond to its functionality.
According to the researchers, DroidLock targets Spanish-speaking users and is distributed through malicious websites disguised as legitimate apps. Infection begins with a dropper app, which tricks the victim into installing the main payload, which then requests Device Admin and Accessibility Services permissions. With these permissions, the malware can do anything it wants: lock the device, change the PIN, password, or biometrics, preventing the owner from accessing their device.
DroidLock supports 15 different commands, including sending notifications, adding a screen overlay, muting, resetting the device to factory settings, launching the camera, and uninstalling apps.
Experts report that the ransomware window launches via a WebView overlay immediately after receiving a corresponding signal from the command and control server. The victim is instructed to contact the malware operators via a Proton Mail address. If payment is not made within 24 hours, the attackers threaten to destroy files on the device.
Experts clarify that DroidLock does not encrypt data—it simply threatens to delete it unless the ransom is paid. Furthermore, the attackers can block access to the device by changing the unlock code.
It is also noted that DroidLock is even capable of stealing the pattern lock (using another overlay loaded from the malicious APK). When the user draws a pattern in the cloned interface, all data is immediately transmitted to the attackers. This malicious functionality is used to remotely access the device via VNC when the owner is not using it.
Researchers have already shared all data on the new threat with Android Security specialists, so Play Protect is now able to detect and block DroidLock on updated devices.
The specialists remind people not to install APKs from third-party sources unless they are trusted. It's also important to carefully check the permissions the app requests and whether they correspond to its functionality.