Android malware DroidLock hijacks your device for ransom
A new threat campaign targeting Android users in Spain has popped up. According to security researchers, DroidLock locks the screen of Android devices and then threatens to delete the victims’ files if they don’t pay a ransom.
According to cybersecurity firm Zimperium, whose researchers have analyzed the malware, DroidLock is classified as ransomware and is being distributed via phishing websites. It can lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, resulting in a complete takeover of any compromised device.
The infection starts with a “dropper,” disguised as an app from telecom provider Orange that deceives the user into installing a secondary payload that contains the actual malware.
Next, the app requests Device Admin Permission, along with Accessibility Services Permission. With these permissions, the malware has complete control over an Android device.
Once DroidLock is installed and permissions have been granted, it communicates with a command and control (C2) server to send basic information of the device for analysis. Later on, websocket communication is used for receiving commands from the C2 server and sending data.
Then the nightmare begins. DroidLock is able to erase existing data, lock the phone, and change the user’s PIN, password, or biometric information, preventing users from accessing the device.
According to Zimperium’s security researchers, the malware can also spy on the victim via the microphone and make screen recordings, which are then sent to the attackers. DroidLock can also steal data from the clipboard, as well as text messages. Furthermore, the malware is able to conduct a factory reset, wiping all data from the victim’s device.
By sending a ransomware command from the C2 server, DroidLock can display overlays on top. This way, the threat actor tries to communicate with its victim, compelling him to pay a ransom before all files are deleted. But unlike typical ransomware, DroidLock doesn’t encrypt files.
As of writing, DroidLock has only been found in Spain, but that could obviously quickly change. For security reasons, don’t install apps outside of the Google Play Store, and be careful of what permissions you grant applications.