DroidLock
DroidLock is a newly identified Android malware campaign described as ransomware-like, primarily targeting Spanish-speaking/Spanish users. It is distributed via phishing websites that impersonate legitimate brands (e.g., telecom providers or other familiar services) and trick victims into installing a malicious dropper app (side-loaded APK) which then deploys the main payload.
Once installed, DroidLock abuses Android Device Administrator and Accessibility Services permissions to gain extensive control. After Accessibility is granted, it can self-approve additional permissions (including access to SMS, call logs, contacts, and audio). It uses deceptive overlays (including fake Android/system update screens) to block interaction and to steal credentials and device unlock patterns (pattern-drawing overlays and HTML/WebView overlays that mimic legitimate login screens, including banking/payment apps). It can intercept OTPs/MFA codes displayed or received on the device.
Operationally, DroidLock provides real-time remote access/control via VNC (screen streaming/remote UI control) and supports a command set described as 15 distinct commands. Reported capabilities include: locking the screen with a ransom overlay; changing PIN/password/biometric settings to deny access; muting the device; manipulating notifications; uninstalling apps; starting the camera and capturing images (including via the front camera); recording/transmitting screen activity; and destructive actions such as wiping storage and performing factory resets. DroidLock does not encrypt files; instead it extorts victims by blocking access and threatening permanent data destruction/deletion if payment is not made within 24 hours, instructing victims to contact the attackers via email (including references to a Proton email address).
Command-and-control is reported to use HTTP and WebSocket for real-time instructions and data exfiltration. Zimperium (zLabs) is credited with discovery/analysis and shared findings with Google via the App Defense Alliance; Play Protect is reported to detect/block DroidLock on up-to-date Android devices. The threat actor identity and campaign scale (infected users/ransom payments) are not specified in the content. No specific IOCs are enumerated in the provided content (only a note that a separate repository contains IOCs).
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
DroidLock is ransomware that targets Android devices, locking users out and demanding a ransom for access.
Android screen-locking malware presented as ransomware; denies access by locking the screen rather than encrypting files.
Android malware that locks devices with a ransomware-like overlay (without encrypting files), steals app-lock credentials, abuses accessibility services and device admin privileges to change lock PIN/password, can lock/erase data, capture images via front camera, silence device, and supports remote control/streaming via VNC.
DroidLock is a sophisticated Android malware that hijacks devices, locks users out, and turns phones into surveillance tools. It uses phishing sites to trick users into installation, abuses Device Administrator permissions, and can remotely control the device, steal credentials via overlays, stream the screen, and capture images from the front camera. While it mimics ransomware by locking users out and demanding contact, it does not encrypt files.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.