Zimperium, the pioneer in mobile security, today announced new research from its zLabs team uncovering DroidLock, a rapidly evolving Android malware campaign targeting users in Spain.
Unlike traditional mobile malware, DroidLock behaves more like full-scale ransomware, enabling complete device takeover through screen-locking overlays, credential theft, and remote control capabilities.
Android safeguards
zLabs researchers found that DroidLock is distributed through phishing websites and begins with a deceptive dropper app designed to bypass Android safeguards and exploit Accessibility Services.
Once installed, the malware automatically approves additional permissions, granting access to SMS, call logs, contacts, audio, and more, without the victim’s awareness.
HTTP and WebSocket channels
After establishing persistence, DroidLock communicates with its command-and-control server using both HTTP and WebSocket channels. Through these channels, attackers can issue any of 15 distinct commands, enabling them to:
- Lock the device or change the PIN/password
- Wipe the device through a factory reset
- Silently capture the victim’s image using the front camera
- Mute notifications and restrict user interaction
- Stream the device’s screen and remotely control it via VNC
- Display ransomware-style full-screen overlays demanding payment within 24 hours
Dual overlay mechanisms
A notable tactic includes dual overlay mechanisms used to steal lock-patterns and app credentials. DroidLock deploys fast in-memory overlays to capture screen unlock patterns, while WebView-based overlays render attacker-controlled HTML to harvest credentials from targeted apps. The malware also displays a convincing fake Android system-update screen to keep victims from powering off or interrupting the attack.
Although the ransomware overlay does not encrypt files, DroidLock can wipe the device entirely, permanently locking users out and enabling indefinite control by the attacker.
Intercept one-time passcodes
“For enterprises, a compromised device becomes a hostile endpoint,” said Vishnu Pratapagiri, Security Researcher at Zimperium and author of the analysis.
“DroidLock can intercept one-time passcodes, change device credentials, wipe data, and remotely control the user interface. Organizations need mobile security that stops these attacks before they disrupt operations or enable account takeover.”