Zimperium's zLabs team has discovered an evolving Android malware campaign named DroidLock, which is currently targeting users in Spain.
This malware distinguishes itself by exhibiting features more commonly associated with full-scale ransomware, such as the ability to take complete control of a device. This includes capabilities like screen-locking overlays, credential theft, and remote control.
Android safeguards
The deployment of DroidLock begins with phishing websites that distribute a dropper app
The deployment of DroidLock begins with phishing websites that distribute a dropper app. This malicious app is crafted to bypass Android’s built-in security measures and exploit Accessibility Services.
Once the malware is installed, it stealthily obtains additional permissions, granting itself access to SMS, call logs, contact lists, audio recordings, and more, all without the user's knowledge.
HTTP and WebSocket channels
After installation, DroidLock establishes persistent communication with its command-and-control server, utilising both HTTP and WebSocket channels.
Through these channels, attackers can execute any of 15 distinct commands, which allow them to perform actions such as locking the device, altering the device's PIN or password, conducting a factory reset, capturing images silently with the front camera, muting notifications, limiting user interaction, and even streaming and remotely controlling the device's screen using VNC.
Dual overlay mechanisms
The malware can present a misleading Android system update screen to keep victims from interrupting
A key strategy employed by DroidLock involves dual overlay mechanisms for stealing lock-patterns and application credentials. The malware uses quick in-memory overlays to capture screen unlock patterns and employs WebView-based overlays to display attacker-controlled HTML pages designed to steal credentials from specific apps.
Furthermore, the malware can present a misleading Android system update screen to keep victims from interrupting the attack or turning off their devices. While the ransomware overlay does not encrypt files, DroidLock has the capacity to fully wipe a device, locking the user out indefinitely and permitting prolonged control by the attacker.
Intercept one-time passcodes
“For enterprises, a compromised device becomes a hostile endpoint,” said Vishnu Pratapagiri, a Security Researcher at Zimperium and the author of the analysis.
“DroidLock can intercept one-time passcodes, change device credentials, wipe data, and remotely control the user interface. Organisations need mobile security that stops these attacks before they disrupt operations or enable account takeover.”
Understand how converged physical and cybersecurity systems can scale protection.
