The Droidlock malware completely takes over Android devices and allows hackers to control them remotely.
Researchers have discovered new Android malware that completely takes over devices and then holds them for ransom. The malware, called DroidLock, is currently mainly targeting Spanish-speaking users, but could quickly expand internationally.
Full control
DroidLock is spread via phishing websites that mislead victims with fake apps from telecom providers or other well-known brands. The app abuses Device Admin and Accessibility Services permissions to gain full control. After obtaining accessibility rights, the malware automatically approves additional permissions, including access to SMS, contacts, call logs, and audio. This gives attackers more leverage for their ransom demands.
DroidLock also uses Accessibility Services to display overlays on top of other apps. This allows it to intercept unlock patterns and display a fake Android update screen that advises victims to restart their device.
In addition, the malware uses VNC technology, allowing attackers to control the device in real time: start the camera, mute sound, manipulate notifications, delete apps, and even change the PIN code. The device can be completely blocked in this way without encrypting files.
How to stay safe
Malwarebytes shares some tips to stay safe:
- Only install apps through official app stores. Avoid installation links in SMS, email or chat messages.
- Always check the developer, number of downloads and reviews before installing anything.
- Use up-to-date mobile security
- Pay attention to permissions, especially for accessibility, SMS, camera or microphone.
- Keep Android and Google Play Services up-to-date for the latest security patches.