A new Android malware known as Droidlock turns an infected smartphone into a device fully controlled by attackers. The malware locks the screen with a ransom banner, steals application lock codes, and gains access to sensitive data, ultimately enabling a complete system takeover.
According to Zimperium, Droidlock is distributed via phishing websites and masquerades as a system update. In the initial stage, a loader is delivered to the device, persuading the victim to install a secondary module that contains the core malicious payload. This staged approach helps the malware bypass Android restrictions and obtain access to privileged device features.
Once permissions are granted, Droidlock automatically approves additional privileges, including access to SMS messages, call logs, contacts, and audio recording. The malware requests device administrator rights, allowing it to lock or wipe data, change the PIN, password, or biometric settings, silently mute the device, and capture images from the front-facing camera.
Communication with the command-and-control infrastructure relies on a combination of HTTP and WebSocket protocols. Basic device information is first exfiltrated over HTTP for profiling purposes, after which WebSocket channels are used to receive commands and transmit harvested data. In total, the malware supports 15 distinct command types for remote control.
Upon receiving the appropriate instruction, Droidlock displays a full-screen banner via WebView. The message demands the device identifier and an email contact and threatens to destroy the victim’s files if a “ransom” is not paid within 24 hours. Although Droidlock does not encrypt data, its ability to completely wipe the device’s storage makes the threat very real for affected users.
A particularly dangerous feature is its covert screen-capture capability. Droidlock operates as a persistent background service, leveraging MediaProjection and VirtualDisplay to record the screen. The captured frames are converted to JPEG images, encoded in Base64, and transmitted to a remote server. This mechanism enables the theft of any sensitive information displayed on the screen, including credentials and one-time multi-factor authentication codes. While attacks have so far been observed against users in Spain, Droidlock’s capabilities suggest significant potential for wider distribution.
