Zimperium has reported new findings from its zLabs team that reveal DroidLock, an evolving Android malware impacting users in Spain.
Deviating from typical mobile malware, DroidLock functions akin to ransomware, allowing for complete control over devices through methods like screen-locking overlays, credential theft, and remote control operations.
Android Safeguards
Upon installation, the malware automatically gains extra permissions, enabling access to SMS, call logs
Researchers from zLabs discovered that DroidLock disseminates through phishing sites, initiating with a deceptive dropper app designed to circumvent Android's protections and misuse Accessibility Services.
Upon installation, the malware automatically gains additional permissions, enabling access to SMS, call logs, contacts, audio, and more without the user's knowledge.
HTTP and WebSocket Channels
Once established, DroidLock maintains communication with its command-and-control server via HTTP and WebSocket channels. Through these channels, attackers have the capability to execute any of 15 unique commands, such as:
- Locking the device or altering the PIN/password
- Resetting the device to factory settings
- Capturing images through the front camera without detection
- Muting notifications and limiting user interaction
- Streaming and remotely controlling the device screen using VNC
- Deploying full-screen overlays requesting ransom within 24 hours
Dual Overlay Mechanisms
DroidLock retains the ability to wipe the device completely, resulting in a permanent lockout
A significant method involves dual overlay techniques used for stealing lock patterns and app credentials. DroidLock utilizes quick in-memory overlays to record screen unlock patterns, while WebView-based overlays allow attackers to render HTML that harvests credentials from targeted apps.
Additionally, the malware displays a simulated Android system update screen to prevent the victim from shutting down or interrupting the attack process.
Though the ransomware overlay does not encrypt files, DroidLock retains the ability to wipe the device completely, resulting in a permanent lockout for users and ongoing control by the attacker.
Intercept One-Time Passcodes
Vishnu Pratapagiri, a Security Researcher at Zimperium and the author of the report, stated, "For enterprises, a compromised device becomes a hostile endpoint. DroidLock can intercept one-time passcodes, change device credentials, wipe data, and remotely control the user interface."
"Organizations need mobile security that stops these attacks before they disrupt operations or enable account takeover."
Understand how converged physical and cybersecurity systems can scale protection.
