Researchers have analyzed a new threat campaign actively targeting Android users. The malware, named DroidLock, takes over a device and then holds it for ransom. The campaign to date has primarily targeted Spanish-speaking users, but researchers warn it could spread.
DroidLock is delivered via phishing sites that trick users into installing a malicious app pretending to be, for example, a telecom provider or other familiar brand. The app is really a dropper that installs malware able to take complete control of the device by abusing Device Admin and Accessibility Services permissions.
Once the victim grants accessibility permission…
Researchers have analyzed a new threat campaign actively targeting Android users. The malware, named DroidLock, takes over a device and then holds it for ransom. The campaign to date has primarily targeted Spanish-speaking users, but researchers warn it could spread.
DroidLock is delivered via phishing sites that trick users into installing a malicious app pretending to be, for example, a telecom provider or other familiar brand. The app is really a dropper that installs malware able to take complete control of the device by abusing Device Admin and Accessibility Services permissions.
Once the victim grants accessibility permission, the malware starts approving additional permissions on its own. This can include access to SMS, call logs, contacts, and audio, which gives attackers more leverage in a ransom demand.
DroidLock also leverages Accessibility Services to create overlays on other apps. The overlays can capture device unlock patterns (giving the attacker full access) and also show a fake Android update screen, instructing victims not to power off or restart their devices.
DroidLock uses Virtual Network Computing (VNC) for remote access and control. With this, attackers can control the device in real time, including starting camera, muting sound, manipulating notifications, and uninstalling apps, and use overlays to capture lock patterns and app credentials. They can also deny access to the device by changing the PIN.
The researchers warn that:
“Once installed, DroidLock can wipe devices, change PINs, intercept OTPs (One-Time Passwords), and remotely control the user interface”
Unlike regular ransomware, DroidLock doesn’t encrypt files. But by blocking access and threatening to destroy everything unless a ransom is paid, it reaches the same outcome.
Image courtesy of Zimperium
Urgent Last chance Time remaining {starts at 24 hours} After this all files wil be deleted forever! Your files will be permanently destroyed! Contact us immediately at this email or lose everything forever: {email address} Include your device ID {ID} Payment required within 24 hours No police, no recovery tools, no tricks Every second counts!
How to stay safe
If this campaign turns out to be successful in Spain, we’ll undoubtedly see it emerge in other countries as well. So here are a few pointers to stay safe:
- Only install apps from official app stores and avoid installing apps promoted in links in SMS, email, or messaging apps.
- Before installing apps, verify the developer name, number of downloads, and user reviews rather than trusting a single promotional link.
- **Protect your devices. **Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
- **Scrutinize permissions. **Does an app really need the permissions it’s requesting to do the job you want it to do? Especially if it asks for accessibility, SMS, or camera access.
- Keep Android, Google Play services, and all important apps up to date to get the latest security fixes.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
About the author
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.