Beware! DroidLock Malware Can Hijack Your Phone Through Fake Apps

Security researchers have found a new Android malware called DroidLock spreading through fake apps. It can lock a user’s device and demand a ransom. It can also read text messages, call logs, contacts, and audio recordings. In some cases, it can even erase all data. This makes it a serious threat to Android users.

Researchers from the mobile security firm Zimperium discovered the malware. They say the attack mainly targets Spanish-speaking users. The malware spreads through fake websites that promote harmful apps. These apps pretend to be safe but install dangerous files once the user downloads them.

Beware! DroidLock Malware Can Hijack Your Phone Through Fake Apps

The infection begins with a dropper. This dropper tricks the user into installing a second app. The second app contains the actual malware. Once installed, it asks for Device Admin and Accessibility permissions. Many users allow these permissions because they do not know the risk. But these permissions give the malware full control.

With these permissions, DroidLock can wipe the device. It can lock the screen. It can change the PIN, password, or biometric data. This means the rightful owner cannot open their own device. The malware can also start the camera, mute the phone, uninstall apps, or reset the device to factory settings.

Zimperium reports that DroidLock supports 15 different commands. These commands tell the malware what to do. Some commands place an overlay on the screen. Others send notifications or block access to apps. One dangerous command activates a ransomware screen.

The ransomware screen uses WebView. Once it appears, the user sees a message telling them to contact the attacker. The attacker uses a ProtonMail address. The message warns that if the victim does not pay a ransom within 24 hours, their files will be destroyed forever. This scares many users into paying.

However, the researchers say DroidLock does not actually encrypt files. It only threatens to delete them. Still, the effect is the same because the victim is locked out of their own device. The attacker can also change the device’s lock pattern to prevent access.

See Also: Beware! Malicious Document Reader App in Google Play Installs Anatsa Malware – Delete it Now

One more worrying feature is how DroidLock steals lock patterns. It creates a fake lock screen using an overlay. When the user draws their pattern, the malware sends it to the attacker. With this pattern, the attacker gains full remote access using VNC tools. This allows them to control the device anytime.

Zimperium is part of Google’s App Defense Alliance. Because of this, they have already shared their findings with Google. As a result, Play Protect can now detect and block DroidLock on updated devices. But users with older devices or those who install apps from unknown sources remain at risk.

Experts advise Android users not to download apps from outside the Google Play Store unless they fully trust the source. They should check all app permissions carefully. They should also run Play Protect scans regularly. Taking these steps can reduce the chance of infection.

DroidLock shows how fast mobile threats are evolving. It also reminds users to stay alert and protect their devices.