Overview
- DroidLock is being pushed through phishing sites and fake apps that trick users into installing a dropper which delivers the malware.
- The malware abuses Device Administrator and Accessibility Services to change PINs, lock or wipe phones, harvest unlock patterns, and capture credentials.
- Researchers say the payload supports roughly 15 command-and-control actions and enables remote screen streaming and control via VNC.
- Victims see a full-screen ransom overlay instructing contact via a Proton email with a 24-hour deadline, with threats to destroy files despite no file encryption.
- Current activity primarily targets Spanish-speaking users in Europe, and experts advise keeping Android and Play Protect up to date and avoiding permission prompts from untrusted apps.