A new Android malware named DroidLock is targeting Spanish-speaking users by locking their devices and demanding a ransom. Distributed through fraudulent websites posing as official app sources, the malware tricks users into installing a dropper that subsequently downloads the main malicious payload. Once installed, it requests extensive permissions for Device Administrator and Accessibility Services, which grant it near-total control over the infected device.
The malware can execute 15 different commands, including muting the device, resetting it to factory settings, and changing the lock screen PIN or biometric data to block the owner's access. It does not encrypt files but threatens to destroy them unless a ransom is paid within 24 hours. DroidLock also uses a deceptive overlay to steal the user's screen lock pattern, which attackers then use to remotely access the device via VNC during idle periods.
Researchers from Zimperium, who shared their findings with Google, note that Play Protect now blocks this threat on updated devices. To protect themselves, Android users are strongly advised to avoid sideloading apps from untrusted sources, scrutinize app permissions, and regularly use Play Protect to scan their devices.
Read more...