DroidLock Attacks Android with Ransomware and Mass Password Theft

Researchers from zLabs have identified DroidLock, a new ransomware affecting Android users in Spain. It operates through phishing websites, completely blocking the device's screen, stealing credentials, and taking full control of the device.

The focus of the attacks is on users in Spain, although the risk for Brazilians is considered low at the moment.

How the Attack Works

DroidLock employs a two-stage infection technique. First, an application called a "dropper" tricks the user into installing a second malicious payload that contains the actual ransomware. This approach allows it to bypass Android restrictions by exploiting Accessibility Services.

Once accessibility permission is granted, the malware gains access to SMS, call logs, and contacts without the user's knowledge.

Unlike traditional ransomwares, DroidLock uses a full-screen overlay warning that occupies the entire device screen, issuing commands from a command and control (C2) server.

The message instructs the victim to contact the attackers via email with the device ID within 24 hours, under the threat of file destruction, although it does not actually encrypt the data; it can, however, perform a forced factory reset.

DroidLock also requests administrator privileges at the start of the installation, allowing criminals to lock the device, change PINs, passwords, and biometric information, preventing legitimate user access.

Credential Theft via Overlays

To steal credentials and unlock patterns, the malware employs two main methods. The first simulates the Android unlock pattern screen, recording users' movements as they try to unlock their devices.

In the second method, DroidLock maintains a local database of fake HTML pages. When the victim accesses target apps, such as banking or social media, a full-screen overlay is displayed, capturing sensitive information without arousing suspicion.

Screen Recording and Remote Control

Surveillance is an advanced aspect of DroidLock, which can continuously record what appears on the screen, sending encoded images in base64 to the attackers. This functionality is especially risky for users dealing with sensitive information.

Additionally, the malware supports remote control via VNC (Virtual Network Computing), allowing attackers to interact with the device in real time.

Malware Communication Architecture

DroidLock uses a two-phase communication system. First, it sends basic device data via HTTP, including model, Android version, and location.

In the next phase, the communication evolves to websocket, allowing real-time data exchange. This connection is used to receive commands and continuously transmit stolen information.

Currently, DroidLock focuses on Spanish users, but the situation demands attention as the technique could expand to other regions.

For more information and updates on digital security, follow TecMundo on social media and subscribe to our newsletter.