A recently identified Android malware, referred to as “DroidLock,” has gained attention for its malicious capabilities, which include locking device screens and demanding ransom payments to prevent data loss.
Researchers from Zimperium uncovered this ransomware-like malware, which has the potential to not only lock screens but also wipe devices, change PINs, and intercept one-time passwords (OTPs). It can even control various user interface elements remotely, transforming an affected smartphone into an unsecured device.
Understanding DroidLock: The Mechanics of Android Malware
In a recent blog post, the Zimperium team illustrated the workings of DroidLock, highlighting its ability to overlay a ransom demand on device screens while illicitly gathering app lock credentials. This could lead to an adversary gaining complete control over the compromised device.
DroidLock operates by utilizing fake system update screens to mislead users and employs virtual network computing (VNC) to manipulate and stream data from affected devices. The malware is capable of exploiting device administrator permissions, resulting in actions that include locking or wiping data, capturing images via the front camera, and muting device audio.
The initial phase of the infection begins with a dropper, which prompts users to adjust settings that permit the installation of apps from unknown sources. This eventually leads to a secondary payload carrying the actual malware.
Installation and Permission Exploits
Once installed, DroidLock requests critical accessibility permissions. This allows the malware to gain additional rights to access text messages, call logs, and contact lists. Researchers noted that these permissions enable the malware to perform destructive actions such as:
- Erasing device data, akin to executing a factory reset.
- Locking the user’s phone.
- Changing the PIN or biometric access methods, thereby locking the legitimate user out.
According to the researchers, commands sent from the malware’s command and control (C2) server can lead to indefinite device compromise, rendering users unable to regain access.
Overlay Techniques Used by DroidLock
DroidLock employs accessibility services to deploy overlays on targeted applications when specific conditions are met. The malware utilizes two main overlay techniques:
- A Lock Pattern overlay that mimics a pattern-drawing interface to capture unlock gestures.
- A WebView overlay that presents HTML content controlled by the attackers. This loads when a specific application is opened, allowing for a full-screen display that obscures the app while the malware queries for a match in its local database.
In addition, DroidLock features a fake Android update screen that advises users against powering off or rebooting their devices. This tactic prevents user interaction during crucial malicious activities.
Persistent Surveillance Capabilities
The malware can continuously capture screen activity and relay this information to a remote server by functioning as a persistent foreground service. This is achieved through methods like MediaProjection and VirtualDisplay, converting captured images into base64-encoded JPEG files before transmission to the C2 server.
This alarming feature poses a significant threat, potentially allowing attackers to steal sensitive information visible on the device, such as login credentials and multi-factor authentication (MFA) codes.
Zimperium has communicated its findings to Google to enhance security for current Android versions against this malware. The researchers have also provided Indicators of Compromise (IoCs) related to DroidLock to assist in detection and mitigation efforts.
