DroidLock Android Malware Incident

**New Android Malware "DroidLock" Targets Spanish Users with Ransomware-Like Tactics** Researchers at Zimperium have uncovered a sophisticated Android malware, dubbed *DroidLock*, capable of locking device screens, demanding ransom payments, and executing full device takeovers. The malware, which exhibits ransomware-like behavior, also wipes data, alters PINs, intercepts one-time passwords (OTPs), and remotely controls infected devices. The campaign primarily targeted Spanish Android users through phishing sites, with attackers impersonating Orange S.A., a French telecommunications company. Once installed, *DroidLock* employs deceptive system update screens to trick victims into granting critical permissions, including Device Admin and Accessibility Services. These permissions enable the malware to perform malicious actions such as factory resets, device locking, PIN changes, and unauthorized access to SMS, call logs, and contacts. The infection begins with a dropper that prompts users to enable unknown app installations, followed by a secondary payload that exploits accessibility permissions to automate further malicious actions. *DroidLock* uses two key overlay techniques—*Lock Pattern* (to capture unlock patterns) and *WebView* (to display attacker-controlled HTML content)—to manipulate user interactions. It also deploys a fake update screen to prevent users from interrupting its operations. Additionally, the malware operates as a persistent foreground service, capturing screen activity via *MediaProjection* and *VirtualDisplay*, then transmitting the data to a command-and-control (C2) server. This functionality poses a severe risk, potentially exposing credentials, multi-factor authentication (MFA) codes, and other sensitive information. Zimperium has shared its findings with Google, ensuring protection for up-to-date Android devices. Indicators of Compromise (IoCs) for *DroidLock* have also been published to aid detection and mitigation.