Cyber security
Summary is AI-generated, newsdesk-reviewed
  • Zimperium discovers DroidLock malware, targeting Android users with ransomware-style device takeover tactics.
  • DroidLock exploits phishing websites to bypass Android safeguards, stealing credentials and altering settings.
  • Attackers use WebSocket channels, enabling device wiping, screen streaming, and remote control commands.
Related Links

Zimperium has reported new findings from its zLabs team that reveal DroidLock, an evolving Android malware impacting users in Spain.

Deviating from typical mobile malware, DroidLock functions akin to ransomware, allowing for complete control over devices through methods like screen-locking overlays, credential theft, and remote control operations.

Android Safeguards

Upon installation, the malware automatically gains extra permissions, enabling access to SMS, call logs

Researchers from zLabs discovered that DroidLock disseminates through phishing sites, initiating with a deceptive dropper app designed to circumvent Android's protections and misuse Accessibility Services.

Upon installation, the malware automatically gains additional permissions, enabling access to SMS, call logs, contacts, audio, and more without the user's knowledge.

HTTP and WebSocket Channels

Once established, DroidLock maintains communication with its command-and-control server via HTTP and WebSocket channels. Through these channels, attackers have the capability to execute any of 15 unique commands, such as:

  • Locking the device or altering the PIN/password
  • Resetting the device to factory settings
  • Capturing images through the front camera without detection
  • Muting notifications and limiting user interaction
  • Streaming and remotely controlling the device screen using VNC
  • Deploying full-screen overlays requesting ransom within 24 hours

Dual Overlay Mechanisms

DroidLock retains the ability to wipe the device completely, resulting in a permanent lockout

A significant method involves dual overlay techniques used for stealing lock patterns and app credentials. DroidLock utilizes quick in-memory overlays to record screen unlock patterns, while WebView-based overlays allow attackers to render HTML that harvests credentials from targeted apps.

Additionally, the malware displays a simulated Android system update screen to prevent the victim from shutting down or interrupting the attack process.

Though the ransomware overlay does not encrypt files, DroidLock retains the ability to wipe the device completely, resulting in a permanent lockout for users and ongoing control by the attacker.

Intercept One-Time Passcodes

Vishnu Pratapagiri, a Security Researcher at Zimperium and the author of the report, stated, "For enterprises, a compromised device becomes a hostile endpoint. DroidLock can intercept one-time passcodes, change device credentials, wipe data, and remotely control the user interface."

"Organizations need mobile security that stops these attacks before they disrupt operations or enable account takeover."

Understand how converged physical and cybersecurity systems can scale protection.

Show full press release
Related white papers
Aligning Physical And Cyber Defence For Total Protection

Aligning Physical And Cyber Defence For Total Protection

Download
Combining Security And Networking Technologies For A Unified Solution

Combining Security And Networking Technologies For A Unified Solution

Download
System Design Considerations To Optimize Physical Access Control

System Design Considerations To Optimize Physical Access Control

Download
Related articles
How Physical Security Consultants Ensure Cybersecurity For End Users

How Physical Security Consultants Ensure Cybersecurity For End Users
How Managed Detection And Response Enhances Cybersecurity Management In Organizations

How Managed Detection And Response Enhances Cybersecurity Management In Organizations
Drawbacks Of PenTests And Ethical Hacking For The Security Industry

Drawbacks Of PenTests And Ethical Hacking For The Security Industry