Beware Of DroidLock Malware That Hijacks Android Devices To Extort Ransom Money
As seen with other recent malware it “propagates via phishing websites,” where users are tricked into installing the malicious app that masquerades as a legitimate one. The installation process even displays a dialog box that includes the Google Play logo to further give the impression of legitimacy. Once installed, it requests a wide range of permissions that gives attackers significant control over the device.
Once the device is under an attacker’s control, the malware is able to do serious damage. One of its features is that it displays an overlay on the entire screen threatening users that their data will be destroyed, and the only way to prevent this is to contact and pay the attackers within 24 hours. Additionally, it can lock users out of a device by changing the access PIN, password or biometric information.
Image by Zimperium.
If deleting a victim’s data or locking them out of their device weren’t bad enough, DroidLock has another dirty trick up its sleeve. It’s capable of checking if an app opened by a user matches a WebView stored locally by the malware, if it’s a match then it will commandeer the screen so it looks like the legitimate app and request login credentials.
It’s not just limited to apps that it can match, though. It’s able to abuse the MediaProjection and VirtualDisplay services to take screenshots of whatever is being displayed on a device’s screen, which can also be used to steal credentials or other private information.
The existence of DroidLock is a big reason behind Google’s decision to more tightly control Android. Although after backlash from its most ardent fans the company is taking an approach that will hopefully secure more naïve users while giving more experienced users the flexibility they expect from the mobile OS.
