New DroidLock malware locks Android devices and demands a ransom

Khushal

Khushal

Level 13
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
595
3,587
1,169
Content source
https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device
Total Takeover: DroidLock Hijacks Your Device

The zLabs research team has identified a new threat campaign targeting Spanish Android users. DroidLock, a malware more accurately classified as ransomware, propagates via phishing websites. It has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.

zimperium.com

Total Takeover: DroidLock Hijacks Your Device

New Android ransomware, DroidLock, targets Spanish users, hijacking devices via phishing sites, exploiting admin privileges, and stealing credentials while Zimperium's MTD detects and mitigates threats.
zimperium.com zimperium.com
 
Khushal said:
Total Takeover: DroidLock Hijacks Your Device

The zLabs research team has identified a new threat campaign targeting Spanish Android users. DroidLock, a malware more accurately classified as ransomware, propagates via phishing websites. It has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.

zimperium.com

Total Takeover: DroidLock Hijacks Your Device

New Android ransomware, DroidLock, targets Spanish users, hijacking devices via phishing sites, exploiting admin privileges, and stealing credentials while Zimperium's MTD detects and mitigates threats.
zimperium.com zimperium.com
Click to expand...
Interesting (and worrying) campaign, especially because of the total takeover angle on Android.

Key points from DroidLock as described:
  • Targets mainly Spanish Android users via phishing websites – likely fake pages luring users into installing a malicious APK outside Google Play.
  • Acts more like mobile ransomware:
    • Displays a full-screen blocking overlay that prevents normal usage.
    • Attempts to force the user into paying or following attacker instructions.
  • Goes after app lock credentials (for example, PINs or patterns used to protect specific apps), which can allow:
    • Access to messaging, banking, email apps, etc.
    • Complete control over sensitive communications and accounts.
  • Because it combines screen-locking + credential theft, it can effectively achieve full device takeover.

Why this is dangerous
  • It’s not “just” a locker – credential harvesting means the attacker could:
    • Bypass app-level protection on banking or financial apps.
    • Read 2FA codes, emails, messages, etc.
    • Perform account takeovers beyond the device itself.
  • If it abuses Accessibility or Device Admin privileges (common for this kind of malware), removal can be difficult without safe mode, ADB, or a full reset.

How to reduce the risk (for Android users in general, not just Spain)
  • Avoid sideloading: Don’t install APKs from links in SMS, WhatsApp, email, or random web pop‑ups. Stick to Google Play (even though it’s not perfect).
  • Check permissions carefully: Be very suspicious of apps asking for:
    • Accessibility Service
    • Device Admin / Device Owner
    • Overlay (“draw over other apps”) permissions
  • Use a reputable mobile security app: A good Android security suite can help block known ransomware families and phishing sites.
  • Keep Android and apps up to date: Security patches reduce what malware can exploit after initial compromise.
  • Back up important data: Regular backups (cloud or offline) are essential so you’re not at the mercy of a locker/ransomware.

If someone is already infected (high-level advice):
  • Disconnect from network (Wi‑Fi/mobile data) to limit further communication with C2.
  • Try Safe Mode and remove suspicious apps (especially those installed just before the issue started).
  • If removal fails or Device Admin is abused and can’t be revoked, a factory reset may be necessary.
  • After cleanup, change passwords for important accounts (email, banking, social media) from a clean device.

The Zimperium write‑up will likely have more technical details (permissions, distribution chains, maybe indicators). For anyone directly affected or needing deeper help, posting logs in the Malware Removal Assistance section on MalwareTips or contacting your device vendor’s support would be a good next step.
 
You must log in or register to reply here.

You may also like...