A newly discovered Android malware dubbed DroidLock can lock victims’
screens for ransom and access text messages, call logs, contacts, audio
recordings, or even erase data.
DroidLLock allows its operator to take complete control of the device
via the VNC sharing system and can steal the device lock pattern by
placing an overlay on the screen.
According to researchers at mobile security company Zimperium, the
malware targets Spanish-speaking users and is distributed through
malicious websites promoting fake applications that impersonate
legitimate packages.
In a report today, Zimperium says that the “infection starts with a
dropper that deceives the user into installing the secondary payload
that contains the actual malware.”
The malicious apps introduce the main payload via an update request
and then ask for Device Admin and Accessibility Services permissions,
which let it to perform fraudulent activities.
Some of the actions it can take are wiping the device, locking it,
changing the PIN, password, or biometric data to prevent the user from
accessing the device.
Zimperium’s analysis discovered that DroidLock supports 15 commands
that let it send notifications, place an overlay on the screen, mute the
device, reset it to factory settings, start the camera, or uninstall
apps.
The ransomware overlay is served via WebView immediately after the
corresponding command is received, instructing the victim to contact the
threat actor at a Proton email address. If the user does not pay a
ransom in 24 hours, the actor threatens to permanently destroy the
files.
Zimperium clarifies that DroidLock does not encrypt files, but by
threatening to destroy them unless a ransom is paid, the same purpose is
achieved. Additionally, the threat actor can deny access to the device
by changing the lock code.
DroidLock can steal the lock pattern through another overlay loaded
from the malicious APK’s assets. When the user draws the pattern on the
cloned interface, they send it directly to the attacker. The purpose of
this feature is to allow remote access to the device through VNC at idle
times.
Being a member of Google’s App Defense Alliance, Zimperium shares new
malware findings with the Android security team, so Play Protect
detects and blocks this threat from up-to-date devices.
Android users are advised not to side-load APKs from outside Google
Play unless the publisher is a trusted source. They should always check
if the permissions required by an app serve its purposes, and
periodically scan their device with Play Protect.
Reference: https://www.bleepingcomputer.com