A new mobile threat is allowing remote attackers to hijack Android devices, turning phones into surveillance tools and locking users out of their own data.
Cybersecurity researchers at the mobile security firm Zimperium’s zLabs discovered the campaign, dubbed DroidLock, which is currently targeting Spanish users through fake and malicious phishing sites.
Vishnu Pratapagiri, Zimperium’s security researcher and report author, noted that the malware acts much like ransomware (software that locks your device and demands payment), designed to perform “total takeover” of a victim’s device.
Once someone is tricked into installing it, DroidLock uses fake system update screens and other deceptive techniques to display a full-screen warning that pressures the victim to contact the attackers.
How the Hijacking Works
According to Zimperium’s research, shared with Hackread.com, this malicious program is highly organised, using 15 different commands to communicate with its C2 centre. What’s worth noting is that DroidLock does not actually encrypt files like typical ransomware, but it can still do major damage.
Furthermore, it exploits the device’s Device Administrator Permission to gain the ability to perform various fraudulent activities, such as “wipe the device entirely,” or change your PIN or password, locking you out permanently, Zimperium’s blog post reads.
One of the most concerning features is how it steals sensitive information. Researchers found that DroidLock uses dual overlay techniques (fake screens appearing over real apps) to illegally gather important details like screen unlock patterns and app credentials. It can also stream your screen and remotely control your device via VNC (Virtual Network Computing).
Another key feature is its ability to secretly capture and transmit all screen activity to a remote server, operating constantly in the background. This highly dangerous functionality allows attackers to steal any sensitive information shown on the device’s display, including login details or multi-factor authentication (MFA) codes. It can even capture the victim’s image with the front camera.
Corporate Data Could Be at Risk
This threat is particularly worrying because, as we know it, mobile devices are usually the least protected way employees access company information. A simple click on a deceptive link can lead to a “full device compromise,” which impacts both personal users and company data on work phones.
Research also revealed that DroidLock can remotely control every part of the phone. Zimperium researchers emphasise the need for better mobile protection, as a compromised phone becomes a “hostile endpoint” inside a corporate network.