DroidLock: A New Ransomware Threat Targeting Android Users

Published Date: December 15, 2025
Category: ShadowOpsIntel
Share:

DroidLock is a new malware threat campaign identified by the zLabs research team, primarily targeting Spanish Android users. It is more accurately classified as ransomware that spreads via phishing websites. The malware aims for a total takeover of the compromised device by acquiring app lock credentials and leveraging a variety of highly invasive capabilities.

Severity: High

Threat Details

  1. Infection Vector: DroidLock is distributed through phishing websites that impersonate trusted brands (e.g., Orange). Victims are tricked into downloading a dropper APK, which installs a secondary payload containing the actual malware. This dropper tactic bypasses Android’s restrictions on Accessibility Service exploitation.
  2. Privilege Escalation and Persistence
    Once installed, DroidLock requests Accessibility Service and Device Admin permissions. These permissions allow it to:
    • Automatically grant itself further app permissions (SMS, contacts, camera, microphone access).
    • Lock or wipe the device via administrator privileges.
    • Change PINs or biometric access credentials to lock users out permanently.
  3. Command and Control (C2) Communication
    The malware communicates with its C2 using both HTTP and WebSocket protocols:
    • Phase 1 (HTTP): Sends device analytics and system info.
    • Phase 2 (WebSocket): Maintains persistent communication to receive attacker commands.
    Zimperium identified 15 distinct C2 commands, including RANSOMWARE, WIPE, BLACK_SCREEN, VNC, APP_BLOCK, and INJECT_APP, allowing remote control, data theft, and screen manipulation.
  4. Ransomware-Like Behavior: When the RANSOMWARE command is received, DroidLock displays a full-screen ransom overlay demanding contact with the attacker at admin1lm4ram[@]proton[.]me. The warning claims all files will be destroyed within 24 hours if no payment is made. Although the malware doesn’t encrypt files, it can factory reset or permanently lock the device, coercing victims into paying.
  5. Credential and Data Theft
    DroidLock uses overlay injection techniques to steal app credentials and device unlock patterns:
    • Lock Pattern Overlay: Captures screen unlock patterns.
    • WebView Overlay: Displays fake login pages to harvest credentials.
    It can also record the screen, capture camera images, and intercept OTPs using NotificationListenerService.
  6. Remote Access & Surveillance Features
    • Through VNC functionality, attackers can stream and control the device in real time.
    • It also leverages MediaProjection and VirtualDisplay APIs to capture the screen continuously and exfiltrate screenshots as base64-encoded JPEGs.
  7. Impact Assessment
    DroidLock can:
    • Completely lock or wipe infected Android devices.
    • Steal MFA codes, passwords, and banking credentials.
    • Enable real-time monitoring and control of user activity.
    • Be used to infiltrate enterprise networks via compromised employee devices.
    This makes it a critical mobile threat with both financial and operational implications, especially for organizations allowing Bring Your Own Device (BYOD) access.

Recommendations

Through MDM, disable granting of Device Administrator or Accessibility Services to applications not explicitly approved.

  1. Allow app installation only from Google Play Store or managed enterprise repositories.
  2. Block access to corporate networks for devices that are rooted, unmanaged, or out of compliance with security baselines.
  3. Disable INSTALL_UNKNOWN_APPS and enforce Play Protect scanning across all endpoints.
  4. Conduct awareness campaigns warning against phishing pages posing as system updates or carrier applications.
  5. Encourage updating only through legitimate app stores or vendor OTA (Over-The-Air) channels.
  6. Train users to reject unnecessary permission requests — particularly Accessibility and Admin privileges.
  7. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/376781d37af1803c777da157a688e63ae3f60c7c395ee98e76d6c335bf5c0e3a/iocs

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.