zLabs researchers identified a new Android ransomware campaign, DroidLock, that spreads via phishing sites and uses a dropper to install a secondary payload which abuses Accessibility and Device Admin permissions to fully takeover devices. The malware supports overlays to steal credentials and lock patterns, screen recording, VNC remote control, and communicates with C2 servers over HTTP and websockets. #DroidLock #Zimperium
Keypoints
- DroidLock is delivered via phishing websites using a dropper that installs a secondary payload to bypass Android restrictions and obtain Accessibility permissions.
- Once granted Accessibility, the malware auto-approves additional permissions (SMS, call logs, contacts, audio) enabling broad data access and persistence.
- The malware uses HTTP for initial device info exfiltration and websockets for bidirectional C2 command/control, supporting 15 distinct commands from the attacker.
- Ransomware-like behavior includes full-screen scary overlays, fake system update screens, device wipe capability, PIN/biometric changes, and permanent lockout via Device Admin abuse.
- Credential theft is performed via two overlay mechanisms: an in-memory fast lock-pattern overlay and WebView overlays that render attacker-controlled HTML from a local database.
- Advanced collection features include persistent screen recording (MediaProjection), camera capture, SMS interception, clipboard theft, keylogging, audio capture, and location tracking.
- Zimperiumās on-device dynamic detection (MTD / zDefend) detected all samples in a zero-day fashion, and protection is recommended for enterprise devices.
MITRE Techniques
- [T1660 ] Phishing ā Malware spread via phishing websites hosting malicious APKs. (āAdversaries host phishing websites to spread malicious Apkāsā)
- [T1624.001 ] Event Triggered Execution: Broadcast Receivers ā Creates broadcast receiver to receive SMS events and other triggers. (āIt creates a broadcast receiver to receive SMS eventsā)
- [T1626.001 ] Abuse Elevation Control Mechanism: Device Administrator Permissions ā Requests Device Admin to wipe, lock, and change PINs. (āMalware is capable of factory reset, Disable lockscreenā)
- [T1655.001 ] Masquerading: Match Legitimate Name or Location ā Uses legitimate-looking app names (e.g., āOrangeā) to disguise itself. (āMalware pretending to be apps such as Orangeā)
- [T1629.002 ] Device Lockout ā Uses DevicePolicyManager.lockNow() and admin privileges to lock out victims. (āMalware can lockout victim through the device by DevicePolicyManager.lockNow()ā)
- [T1516 ] Input Injection ā Mimics user interaction to perform clicks, gestures, and inject pattern overlays to steal credentials. (āMalware can mimic user interaction, perform clicks and various gestures, and input dataā)
- [T1517 ] Access Notifications ā Intercepts notifications and OTPs via NotificationListenerService. (āThe malware leverages Android NotificationListenerService to intercept OTPsā)
- [T1414 ] Clipboard Data ā Extracts data from the clipboard for credential/exfiltration. (āIt extracts data stored on the clipboardā)
- [T1417.001 ] Input Capture: Keylogging ā Keylogger capability to capture keystrokes. (āIt has a keylogger featureā)
- [T1417.002 ] Input Capture: GUI Input Capture ā Captures displayed UI and overlays fraudulent screens to harvest credentials. (āIt is able to get the shown UI.ā)
- [T1430 ] Location Tracking ā Tracks victim location as part of discovery/collection. (āLocation Tracking ā Malware can track the victimās locationā)
- [T1418 ] Software Discovery ā Enumerates installed applications (package list). (āMalware collects installed application package listā)
- [T1426 ] System Information Discovery ā Collects basic device information for analytics and profiling. (āThe malware collects basic device info.ā)
- [T1513 ] Screen Capture ā Records screen content via MediaProjection and VirtualDisplay and sends base64 JPEGs to C2. (āMalware can record screen contentā)
- [T1512 ] Capture Camera ā Opens camera to take pictures (front camera capture for victim image). (āMalware opens camera and takes picturesā)
- [T1429 ] Audio Capture ā Captures or mutes audio as part of attack operations. (āMalware can mute the deviceā)
- [T1636.004 ] Protected User Data: SMS Messages ā Steals SMS messages including OTPs. (āSteals SMSs from the infected deviceā)
- [T414 ] Clipboard Data ā Ability to steal clipboard contents referenced again in collection context. (āIt has the ability to steal data from the clipboardā)
- [T1481.002 ] Web Service: Bidirectional Communication ā Uses websocket for two-way C2 communication to receive commands and send data. (āIt uses websocket communication to poll the TAās server and get the commands to execute.ā)
- [T1646 ] Exfiltration Over C2 Channel ā Sends exfiltrated data (screenshots, SMS, clipboard) over C2 channels. (āSending exfiltrated data over C&C serverā)
- [T1582 ] SMS Control ā Reads and sends SMS as part of control and data theft. (āIt can read and send SMSā)
Indicators of Compromise
- [File names ] Dropper and secondary APKs used in infection chain ā ādropper APKā, āsecondary payload APKā (used to install DroidLock and bypass restrictions)
- [Package names ] Targeted application package names used for overlays and lock-pattern theft ā examples include apps used for masquerade like āOrangeā and server-provided target package names stored via APP_BLOCK/APP_BLOCK_LOCK_PATTERN
- [Network C2 ] HTTP analytics endpoint and websocket command channel used for C2 (endpoints not listed in article) ā āHTTP analytics endpointā, āwebsocket command URLā (full endpoints available in referenced repository)
- [Screen captures ] Exfiltrated screenshots encoded as base64 JPEGs ā ābase64-encoded JPEG screen imagesā (sent to C2 via MediaProjection pipeline)
- [SMS / Notifications ] Intercepted SMS and notification OTPs ā ācaptured OTPs via NotificationListenerServiceā, āstolen SMS messagesā (used for account takeover)
- [Database entries / HTML ] Local database entries storing attacker-controlled HTML overlays ā āstored HTML for WebView overlaysā, āoverlay entries mapping package names to HTMLā
Read more: https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device