A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted.
Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.”
The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.
Android Malware DroidLock Uses ‘Ransomware-like Overlay’
The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.”
The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim’s image with the front camera, and silence the device.”
The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware.
Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said.
The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:
- Wiping data from the device, “effectively performing a factory reset.”
- Locking the device.
- Changing the PIN, password or biometric information to prevent user access to the device.
Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”
DroidLock Malware Overlays
The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker’s target list.
The Android malware uses two primary overlay methods:
- A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
- A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.
The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said.
The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server.
“This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said.
Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).
