A novel Android malware named DroidLock might cause apprehension for mobile device owners: it not only locks the device screen for ransom but also gains access to SMS, contacts, call logs, audio recordings, and can even erase data. Researchers from Zimperium disclosed that the malicious software spreads via fake websites advertising counterfeit applications, externally disguised as legitimate packages. The attack starts with a downloader that persuades the victim to install a second-stage payload—the actual malware. Following installation, the application seeks Device Admin permissions and the operating system’s Accessibility Services, subsequently obtaining nearly limitless dominion over the device: it can alter the PIN and passcode, lock the screen, wipe data, or completely reset the smartphone to its factory configuration. According to Zimperium, DroidLock comprehends 15 distinct commands. These include activating the camera, muting sound, overlaying windows, deleting applications, and much more. If the extortion scenario is initiated, the malware displays a demand via WebView to contact the operator using ProtonMail. If the device owner fails to remit payment within 24 hours, the attacker promises to destroy the files. It is pertinent to note that genuine data encryption is absent. However, by threatening deletion and altering the lock code, the malicious actor achieves the same outcome—the user loses access to the smartphone and the information it contains. A distinct perilous feature of DroidLock is the pilfering of the graphical key. The malware shows a deceptive input screen; the user draws their pattern, and it is immediately transmitted to the operator. This enables the attacker to connect to the device via VNC when the owner is not actively using it.
About the Author
