Droidlock, a new type of malware more accurately classified as ransomware, has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials. This then leads to a total takeover of the compromised device.
According to the zLabs research team, part of cybersecurity company Zimperium, this new threat campaign is targeting Android users and spreads via phishing websites.
Researchers say that Droidlock employs deceptive system update screens to trick victims and can stream and remotely control devices via VNC.
The malware also exploits device administrator privileges to lock or erase data, capture the victim's image with the front camera, and silence the device. Overall, it utilizes 15 distinct commands to interact with its C2 (Command & Control server) panel, zLabs analysts say.
The infection, which has so far targeted Android users in Spain, reportedly begins with a dropper that deceives the user into installing a secondary payload containing the actual malware. This way, the malware can bypass Android restrictions to exploit Accessibility services.
On the other hand, a Google spokesperson told Cybernews: “Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services."
Once the victim grants accessibility permission, Droidlock automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio.
According to zLabs, the malware leverages both WebSocket and HTTP communication. In the first phase, it uses the HTTP connection to send basic information about the device for analytics. In a second phase, it uses WebSocket communication for receiving commands and sending data.
Droidlock is apparently able to display a full-screen overlay using WebView on the victim’s device upon receiving a ransomware command. The overlay urges immediate contact with the threat actor through email, requiring the device ID.
The warning is typical: failure to comply within 24 hours will result in the destruction of all files in the device. Unlike typical ransomware, this malware version doesn’t actually encrypt files. However, it does have the capabilities to wipe the device entirely.
Besides, the full-screen warning is highly alarming to the average Android user who might decide to pay the demanded ransom.
Of course, just in case, Droidlock can also compromise and lock the device by changing the PIN, password, or biometric information.
Another feature that the malware presents is the ability to secretly capture and transmit all screen activity to a remote server. It operates as a persistent foreground service, leveraging MediaProjection and VirtualDisplay to capture screen images.
These images are subsequently processed, converted to base64-encoded JPEG format, and dispatched to the server. This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials or MFA codes.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked