Security researchers at Zimperium have identified a new family of Android malware dubbed DroidLock. The threat stands out because it merges two dangerous capabilities: ransomware-style device locking and remote access trojan (RAT) functionality. Once installed, DroidLock can block access to the smartphone, demand a ransom, and at the same time give attackers near-complete control over the device, including access to SMS, call logs, contacts, microphone, camera, and even factory reset.
DroidLock targets Spanish-speaking users via malicious APK downloads
According to Zimperium’s analysis, DroidLock primarily targets Spanish-speaking users. The malware is distributed through malicious websites that impersonate legitimate apps or services. Victims are prompted to download a seemingly useful application in APK format. In reality, this app acts as a dropper — an intermediate component designed to silently install the main malicious payload.
After launch, the dropper uses deceptive prompts and social engineering to convince the user to install the core DroidLock module and grant it elevated privileges. The malware aggressively requests Device Admin rights and access to Accessibility Services. While these mechanisms are intended for legitimate device management and assisting users with disabilities, they are frequently abused by Android malware to gain persistent, high-privilege control over a device.
Abuse of Device Admin and Accessibility Services for full device takeover
Once DroidLock obtains Device Admin and Accessibility permissions, it can execute a wide range of actions without user interaction. Zimperium reports support for at least 15 distinct commands from the command-and-control (C2) server, including:
• Locking the screen and changing the PIN, password, or biometric settings;
• Displaying arbitrary notifications and phishing overlays on top of any app;
• Silencing the device and covertly recording audio through the microphone;
• Activating the camera without user awareness;
• Uninstalling applications and initiating a factory reset, causing complete data loss.
A key differentiator is DroidLock’s integration with VNC (Virtual Network Computing), a widely used remote desktop technology. Through VNC, attackers gain interactive control of the phone’s interface in real time, effectively operating the device as if it were in their hands. This goes far beyond typical data theft and turns the victim’s phone into a fully remote-controlled asset.
Ransomware behavior: screen-locking without file encryption
Unlike classic ransomware families that encrypt user files, DroidLock functions as a screen-locking Android ransomware. Its primary extortion mechanism is complete denial of access to the device. Once the C2 server issues the command, DroidLock displays a full-screen ransom note implemented as a WebView overlay that blocks access to all other apps and the system UI.
The ransom screen informs the victim that the device is locked and instructs them to contact the operators via a Proton Mail address and pay a ransom to restore access. Attackers threaten to delete all data if payment is not made within 24 hours. From a technical standpoint, this is not an empty threat: DroidLock can both wipe user data and change the unlock credentials, making the device effectively unusable.
Credential theft via fake pattern lock and overlay-based phishing
One of DroidLock’s most dangerous capabilities is its pattern lock theft feature. The malware loads a specially crafted overlay from its APK resources that visually imitates Android’s native pattern unlock screen. When the victim draws their pattern on this fake interface, the unlock sequence is immediately captured and sent to the attackers’ server.
Armed with the real pattern or PIN, the operators can authenticate on the device during periods of inactivity and use VNC remote access with full privileges. This turns the attack from a one-time lockout into an ongoing compromise. The device can be used for long-term surveillance, interception of SMS messages (including one-time passwords and 2FA codes), and subsequent attacks on banking apps, messengers, and email accounts via overlay-based phishing and credential harvesting.
Detection by Google Play Protect and the broader Android threat landscape
Zimperium has shared technical indicators of compromise and samples with the Android Security team. According to the vendor, modern devices with Google Play Protect enabled are already capable of detecting and blocking DroidLock. This significantly reduces the risk of infection from official channels, but does not eliminate the threat from sideloaded apps and third-party stores, where Play Protect is often the last and only line of defense.
Industry reports from vendors such as Google, Kaspersky, and ESET have consistently highlighted growth in Android malware abusing Accessibility Services and screen overlays over recent years. DroidLock fits this trend and illustrates how combining Device Admin, Accessibility, and VNC-based remote access creates a potent toolkit for both extortion and long-term espionage on mobile endpoints.
For individual users and organizations alike, DroidLock underscores the need to treat mobile security with the same rigor as server and workstation security. Reducing risk requires avoiding APK installations from untrusted sources, carefully reviewing requested permissions, staying suspicious of any app that insists on Device Admin or full Accessibility access, keeping Android and Google Play Services updated, and deploying mobile EDR or MDM solutions in enterprise environments.
Smartphones today are critical work tools and repositories of sensitive personal and corporate data. Strengthening Android security by disabling unnecessary sideloading, regularly checking security settings, avoiding root access, maintaining offline backups, and using reputable mobile security solutions significantly lowers the likelihood of a successful attack — even from feature-rich threats such as the DroidLock Android ransomware and remote access malware.
