A new and sophisticated Android malware known as DroidLock has begun spreading among Spanish-speaking users. It can completely lock the device's screen and demand a ransom to regain access.
In addition, it has the ability to access text messages, call logs, contacts, audio recordings, and even delete stored data, putting the user’s privacy and operational continuity at serious risk.
DroidLock also enables attackers to take full control of the device using remote access technologies, allowing them to interact with the phone as if they were holding it in their hands. One of its most dangerous tactics is its ability to capture the device’s unlock pattern or PIN by displaying overlays designed to trick the user.
This malware is primarily being distributed through malicious websites offering fake apps, disguised as legitimate packages to lure users into installing them. Once inside the system, DroidLock exploits advanced permissions to perform actions without restrictions, becoming a critical threat to any unprotected Android device.
According to recent analysis, the infection process starts through a "dropper" designed to deceive the user into installing a second app, which contains the actual malicious code. This method allows the attacker to hide their true intentions until the device has already been compromised.
Loader App and DroidLock App (Source: Zimperium)
The malicious apps used by DroidLock deploy the main payload through a fake update request and subsequently ask for device administrator permissions and access to accessibility services. Once granted, these privileges allow them to carry out actions completely beyond the user's control.
Among the most critical operations it can perform are wiping the device's contents, completely locking it, or changing the PIN, password, or biometric data—effectively preventing any legitimate access attempts.
Technical analysis reveals that DroidLock includes at least 15 different commands capable of executing advanced functions such as sending fake notifications, placing overlays on the screen, silencing the device, resetting it to factory settings, activating the camera, or even uninstalling apps—demonstrating a deep and highly dangerous level of control over the compromised system.
Commands Supported by DroidLock
The lock screen used by the ransomware is deployed via WebView as soon as the device receives the corresponding command, displaying a message instructing the victim to contact the attacker through an encrypted email address. The message includes a warning: if the ransom is not paid within 24 hours, the cybercriminals threaten to irreversibly delete the device’s files, aiming to apply pressure and increase the chances of payment.
DroidLock ransom screen
Read more: 5 Things You Should Never Do on Android to Protect Your Privacy
Although DroidLock does not encrypt the device’s files, it serves the same extortion purpose by threatening to destroy the data if the ransom is not paid. This is compounded by its ability to block legitimate user access by altering the device’s unlock code.
The malware can also steal the unlock pattern through an overlay designed to mimic the real screen. When the user draws their pattern on this fake interface, the information is sent directly to the attacker. This mechanism allows the malware operators to gain remote access to the device via VNC, even when the device is idle.
Thanks to active collaboration with the Android security ecosystem, detected variants of DroidLock can be blocked by Google Play Protect on updated devices. However, protection also depends on user behavior.
To reduce the risk of infection, at TecnetOne we recommend avoiding the download of APKs from outside Google Play unless they come from fully trusted developers. Additionally, it’s essential to carefully review the permissions requested by each app and run regular scans with Play Protect to identify potential threats before they compromise your device.