A new report out today from mobile security platform provider Zimperium Inc. is warning of a new strain of Android malware that can give attackers the ability to seize near-total control of infected devices through a combination of social engineering, elevated permissions and real-time remote access.
Dubbed “DroidLock,” the new malware is distributed through phishing websites that trick users into installing a malicious dropper application, which then installs the core payload in a second stage. The malware aggressively requests Accessibility Services and device administrator permissions to bypass many of Android’s built-in security controls.
DroidLock then establishes communication with command-and-control infrastructure using HTTP and WebSocket connections to allow the attackers to issue live commands remotely.
Malware targeting Android devices is not new, but where DroidLock gets interesting is that, according to the researchers at Zimperium’s zLabs, its capabilities go far beyond what is typically seen in standard mobile malware and ransomware.
DroidLock can display full-screen ransom overlays designed to impersonate system update screens, force the device into a locked state, change authentication credentials such as PINs or biometrics and even wipe the targeted device completely.
The malware can also display fake login overlays over legitimate applications to harvest banking and account credentials, silently capture screen activity, trigger the device camera, mute system audio, uninstall apps and manipulate notifications.
Notably and despite being ransomware, DroidLock does not use file encryption but instead uses coercion through device control, locking victims out of their phones and threatening permanent data loss unless a ransom is paid.
The broader implications of the format of DroidLock are notable; while so far it has only been observed in a threat campaign targeting Spanish Android users, its functionality could be a sign of new malware and ransomware campaigns to come.
The researchers advise Android users to avoid installing apps from untrusted websites and to be skeptical of any application requesting accessibility or device administrator permissions. Enterprises are also advised to use runtime mobile threat detection, continuous behavioral monitoring and strong mobile endpoint protection.
Image: SiliconANGLE/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.