Android Ransomware ‘DroidLock’ Locks Devices for Ransom

A newly identified form of Android malware, known as DroidLock, is actively locking users out of their devices and demanding payment to regain access. This sophisticated threat goes beyond simple screen locking; it can also harvest sensitive data including text messages, call logs, contacts, and audio recordings, with the additional capability to completely wipe a device. Security analysts warn that this malware represents a significant risk to mobile users, particularly those in Spanish-speaking regions.

The infection typically begins when a user is tricked into downloading a malicious application from a fraudulent website. These sites often promote fake apps that impersonate legitimate software packages. According to a detailed report from mobile security firm Zimperium, the process involves a dropper application that deceives the user into installing a secondary payload containing the actual malware. Once installed, the malicious app requests critical permissions for Device Admin and Accessibility Services. Granting these permissions essentially hands over full control of the device to the attacker.

With these permissions in place, DroidLock can execute a wide range of harmful commands. Researchers identified 15 specific commands the malware supports. These include sending notifications, placing an overlay on the screen, muting the device, performing a factory reset, activating the camera, and uninstalling applications. Most critically, it can lock the device and change the PIN, password, or biometric settings, effectively barring the legitimate owner from their own phone.

The ransomware functionality is triggered remotely. When the attacker sends the command, an overlay is immediately served via WebView, displaying a ransom note. This note instructs the victim to contact the threat actor at a provided ProtonMail email address. The message includes a threat: if a ransom is not paid within 24 hours, the attacker will permanently destroy all files on the device. It is important to note that DroidLock does not actually encrypt files; instead, it achieves the same coercive goal by threatening deletion while simultaneously being able to lock the user out by changing the device’s access code.

A particularly stealthy feature of this malware is its ability to steal the device’s unlock pattern. It loads a cloned lock screen interface from the malicious APK’s assets. When the unsuspecting user draws their pattern on this fake overlay, the information is sent directly to the attacker. This stolen pattern allows the threat actor to gain remote access to the device through a VNC (Virtual Network Computing) sharing system, often during times when the phone is idle, enabling further surveillance and data theft.

Zimperium, as a member of Google’s App Defense Alliance, has shared its findings on DroidLock with the Android security team. Consequently, Google Play Protect is now able to detect and block this threat on devices that are kept up-to-date. For general protection, users are strongly advised to avoid sideloading APK files from sources outside the official Google Play Store, unless the publisher is absolutely trustworthy. It is also crucial to scrutinize the permissions an app requests, ensuring they align with the app’s stated function, and to regularly run scans using the built-in Play Protect security feature.

(Source: Bleeping Computer)