New Android Ransomware Campaign Targets Spanish-Speaking Users with DroidLock Malware Researchers have uncovered an active threat campaign distributing DroidLock, a sophisticated Android ransomware strain that hijacks devices and demands payment under threats of data destruction. While the campaign has primarily targeted Spanish-speaking users, experts warn it could expand to other regions. How DroidLock Infects Devices The malware spreads via phishing sites that impersonate trusted brands, such as telecom providers, tricking victims into downloading a malicious app. Once installed, the app acts as a dropper, exploiting Device Admin and Accessibility Services permissions to gain full control. After securing accessibility access, DroidLock autonomously approves additional permissions—including SMS, call logs, contacts, and audio—to strengthen its leverage for extortion. Capabilities and Attack Tactics DroidLock employs Accessibility Services to overlay fake screens, such as a fraudulent Android update prompt, while secretly capturing device unlock patterns and app credentials. Using Virtual Network Computing (VNC), attackers gain real-time remote control, enabling them to: - Change device PINs to lock users out - Intercept one-time passwords (OTPs) - Manipulate notifications, mute audio, or uninstall apps - Activate the camera for surveillance - Wipe the device if ransom demands aren’t met Unlike traditional ransomware, DroidLock does not encrypt files but instead blocks access and threatens permanent data deletion unless payment is made within 24 hours. Victims receive a ransom note with an email contact and device ID, accompanied by countdown timers and warnings against involving authorities or recovery tools. Researchers’ Findings Security firm Zimperium highlighted the malware’s ability to bypass security measures and escalate privileges rapidly. The campaign’s success in Spain may prompt its expansion to other markets, raising concerns about its potential global reach.