A dangerous new malware called DroidLock is targeting Android users, particularly in Spanish-speaking regions, through phishing websites.
This threat combines ransomware tactics with remote-control capabilities, posing a severe risk to users of personal and corporate devices.
Once installed, DroidLock transforms a smartphone into a hostile endpoint that attackers can manipulate at will, making it a significant concern for mobile security.
The malware begins its attack through a two-stage infection process. A dropper application tricks users into installing the actual payload by masquerading as a legitimate app, often mimicking trusted services.
This approach enables DroidLock to bypass Android security restrictions and access critical accessibility services.
Once installed, the malware requests both device administrator and accessibility permissions, which victims often grant without understanding the implications.
Zimperium security researchers identified DroidLock’s sophisticated architecture during their investigation.
.webp "New DroidLock Malware Locks Android Devices and Demands a Ransom 2")
The malware uses both HTTP and WebSocket to communicate with its command-and-control server, enabling attackers to send instructions and receive stolen data continuously.
.webp "New DroidLock Malware Locks Android Devices and Demands a Ransom 3")
This bidirectional communication enables real-time control over compromised devices.
Understanding DroidLock’s Credential-Stealing Mechanism
DroidLock employs two distinct overlay techniques to steal user credentials and unlock patterns.
The first method uses a pattern-drawing interface embedded directly in the malware’s code that appears immediately when users try to unlock their devices or access banking applications.
This overlay captures unlock patterns without alerting users to the theft. The second approach involves HTML-based overlays loaded dynamically from a database on the attacker’s server.
These overlays perfectly mimic legitimate banking apps and login screens, tricking users into entering credentials directly into fake forms.
When users interact with these overlays, all entered information flows directly to the attacker’s infrastructure.
The malware monitors when users open specific applications and matches them against a server-provided list.
If a match occurs, DroidLock immediately deploys the corresponding overlay. This intelligent targeting ensures attackers focus on high-value applications like banking and payment systems.
.webp "New DroidLock Malware Locks Android Devices and Demands a Ransom 4")
Beyond credential theft, DroidLock records screen activity and captures images using the device camera, potentially exposing sensitive information displayed on the screen, including one-time passwords and authentication codes.
DroidLock’s ransom screen threatens to destroy all data within 24 hours and demands payment via the provided contact details.
.webp "New DroidLock Malware Locks Android Devices and Demands a Ransom 5")
Unlike traditional file-encrypting ransomware, this malware doesn’t need to encrypt data because it can simply erase everything using factory reset commands.
This makes prevention and detection critical, as recovery after infection becomes nearly impossible without expert assistance.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New DroidLock Malware Locks Android Devices and Demands a Ransom appeared first on Cyber Security News.