{ "id": "8a647319-7baa-43ad-99c0-cc4c535ec3b4", "created_at": "2026-04-06T00:15:57.461249Z", "updated_at": "2026-04-10T13:13:02.304629Z", "deleted_at": null, "sha1_hash": "0ad80da25bf105ad1b1ba6a8260db8721641ced0", "title": "Total Takeover: DroidLock Hijacks Your Device", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 780067, "plain_text": "Total Takeover: DroidLock Hijacks Your Device\r\nBy Vishnu Pratapagiri\r\nPublished: 2025-12-10 · Archived: 2026-04-05 22:46:25 UTC\r\nExecutive Summary\r\nThe zLabs research team has identified a new threat campaign targeting Spanish Android users. DroidLock, a\r\nmalware more accurately classified as ransomware, propagates via phishing websites. It has the ability to lock\r\ndevice screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total\r\ntakeover of the compromised device.\r\nIt employs deceptive system update screens to trick victims and can stream and remotely control devices via VNC.\r\nThe malware also exploits device administrator privileges to lock or erase data, capture the victim's image with\r\nthe front camera, and silence the device. Overall, it utilizes 15 distinct commands to interact with its C2 panel.\r\nTechnical Analysis\r\nThe infection starts with a dropper that deceives the user into installing the secondary payload that contains the\r\nactual malware (Figure 1). Using this technique the malware can bypass Android restriction to exploit\r\nAccessibility services.\r\nOnce the victim grants accessibility permission (Figure 2), the malware automatically approves additional\r\npermissions, such as those for accessing SMS, call logs, contacts, and audio.\r\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 1 of 12\n\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 2 of 12\n\nFig. 1: Dropper installs the second stage\r\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 3 of 12\n\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 4 of 12\n\nFig. 2:  Requesting accessibility services to perform fraud\r\nC2 Communication\r\nThe malware leverages both websocket and HTTP communication in order to talk with its C2 (Command \u0026\r\nControl server). In the first phase it uses the HTTP connection (Figure 3) to send basic information of the device\r\nfor analytics. In a second phase, it uses websocket communication for receiving commands and sending data.\r\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 5 of 12\n\nFig. 3: Basic data sent to the server via http communication\r\nRansomware Capabilities\r\nScary Overlay\r\nOne of the malware’s capabilities include its ability to display a full screen overlay using webview on the victim's\r\ndevice upon receiving a Ransomware command from the C2. The overlay instructs immediate contact with the\r\nthreat actor through email, requiring the device ID.\r\nIt issues a severe warning, failure to comply before 24 hours will result in the destruction of all files in the device.\r\nUnlike typical ransomware, this malware version does not actually encrypt files, however, it does have the\r\ncapabilities to wipe the device entirely. Also, the full-screen warning (Figure 4) is highly alarming to the average\r\ninternet user to pay the demanded ransom to the attacker.\r\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 6 of 12\n\nFig. 4: Ransomware style overly and admin contact details\r\nLock the User Out \r\nThe malware requests Device Admin Permission, along with the Accessibility Services Permission at the\r\nbeginning of the installation. The malware uses this permission to have the ability to perform various fraudulent\r\nactivities such as:\r\nWiping data from the victim’s device, effectively performing a factory reset.\r\nLock the device.\r\nChange the PIN, password or biometric information for preventing user’s access to the device.\r\nBased on the command received from the C2 itself, the attacker can compromise the device indefinitely and lock\r\nthe user out from accessing the device.\r\nAccepted Commands\r\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 7 of 12\n\nThe malware maintains continuous communication with the C2 server while awaiting instructions from the threat\r\nactor. The analysis successfully identified all commands the malware accepts, which are detailed in the table\r\nbelow along with brief explanations.\r\nCommand Description\r\nDEVICE_ADMIN Requests device admin permission\r\nBLACK_SCREEN Black screen overlay on top of the screen\r\nNOTIFICATION Sends a notification with title, package name, and icon\r\nBLOCK_BIOMETRIC Locks the device using device admin privileges\r\nBLACK_SCREEN_UPDATE_SYSTEM Shows an update overlay and blocks user interactions\r\nVNC Sets the VNC flag to true\r\nMUTE Mutes the device\r\nWIPE Factory resets the device\r\nRANSOMWARE Shows a ransomware overlay\r\nAPP_BLOCK Updates a stored list of blocked package names\r\nAPP_BLOCK_LOCK_PATTERN Updates list of packages targeted for lock pattern theft\r\nTURNSCREENON Turns the screen on using a wakelock\r\nCAMERA Sets the camera flag to true\r\nUNINSTALL_APP Uninstalls a specific app received from the server\r\nINJECT_APP\r\nOverlays targeted app UI to steal credentials; stores overlays\r\ndynamically\r\nDual Overlay Mechanisms for Credentials and Lock Pattern Theft\r\nDroidLock malware leverages Accessibility Services to create overlays on targeted applications. When an\r\nAccessibilityEvent, specifically TYPE_WINDOW_STATE_CHANGED, originates from a package on the\r\nattacker's target list, the malware employs two primary overlay methods.\r\nOne method involves a fast, in-memory Lock Pattern overlay which is present in the assets folder of the APK.\r\nThis presents a pattern-drawing UI to capture device unlock patterns (Figure.5). These overlay targets are\r\nmanaged by the APP_BLOCK_LOCK_PATTERN command, which includes targeted applications along with\r\ntheir package names and icons, all received from the server. \r\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 8 of 12\n\nThe second technique involves a WebView overlay. This overlay loads attacker-controlled HTML content stored\r\nlocally in a database (Figure.6) that maps package names to their corresponding HTML. Whenever an application\r\nis opened, the malware queries the database for the specific package name. If a match is found it launches a full-screen WebView overlay that renders the stored HTML.\r\nFig. 5: Lock screen overlay placed on top of the screen\r\nFig. 6: Queries injections from the database\r\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 9 of 12\n\nKeep the User Away\r\nThe malware employs a deceptive Android update screen (Figure 6), instructing victims not to power off or restart\r\ntheir devices. The overlay is put on top upon receiving the BLACK_SCREEN_UPDATE_SYSTEM command\r\nfrom the C2 server. This technique is commonly used by attackers to prevent user interaction while malicious\r\nactivities are carried out in the background.\r\nFig. 6: Fake android update overlay\r\nScreen Recording Feature\r\nAnother feature that the malware presents is the ability to secretly capture and transmit all screen activity to a\r\nremote server. It operates as a persistent foreground service, leveraging MediaProjection and VirtualDisplay to\r\ncapture screen images. \r\nThese images are subsequently processed, converted to base64-encoded JPEG format, and dispatched to the\r\nserver. This highly dangerous functionality could facilitate the theft of any sensitive information shown on the\r\ndevice’s display, including credentials, MFA codes, etc.\r\nZimperium vs DroidLock\r\nDespite DroidLock’s wide range of takeover capabilities — including device-admin abuse, lock-screen\r\nmanipulation, credential-stealing overlays, remote control, and full screen recording — Zimperium’s Mobile\r\nThreat Defense (MTD) and Mobile Application Runtime (zDefend) detect all found samples in a zero-day fashion\r\nusing our on-device dynamic detection engine. \r\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 10 of 12\n\nFor enterprises, this matters. Once installed, DroidLock can wipe devices, change PINs, intercept OTPs, and\r\nremotely control the user interface, turning an infected phone into a hostile endpoint inside a corporate\r\nenvironment. Zimperium MTD provides protection even when devices are offline or operating outside managed\r\nnetworks, ensuring attacks like DroidLock are stopped before they lead to account compromise or operational\r\ndisruption.\r\nMITRE ATT\u0026CK Techniques\r\nTactic ID Name Description\r\nInitial Access T1660 Phishing\r\nAdversaries host phishing websites to spread\r\nmalicious Apk’s.\r\nPersistence T1624.001\r\nEvent Triggered\r\nExecution: Broadcast\r\nReceivers\r\nIt creates a broadcast receiver to receive SMS\r\nevents.\r\nPrivilege\r\nEscalation\r\nT1626.001\r\nAbuse Elevation Control\r\nMechanism: Device\r\nAdministrator\r\nPermissions\r\nMalware is capable of factory reset and\r\ndisabling the lockscreen.\r\nDefense\r\nEvasion\r\nT1655.001\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nMalware pretending to be apps such as Orange.\r\nDefense\r\nEvasion\r\nT1629.002 Device Lockout\r\nMalware can lock out the victim through the\r\ndevice by using\r\nDevicePolicyManager.lockNow().\r\nDefense\r\nEvasion\r\nT1516 Input Injection\r\nMalware can mimic user interaction, perform\r\nclicks and various gestures, and input data.\r\nCredential\r\nAccess\r\nT1517 Access Notifications\r\nThe malware leverages Android\r\nNotificationListenerService to intercept OTPs.\r\nCredential\r\nAccess\r\nT1414 Clipboard Data It extracts data stored on the clipboard.\r\nCredential\r\nAccess\r\nT1417.001\r\nInput Capture:\r\nKeylogging\r\nIt has a keylogger feature.\r\nCredential\r\nAccess\r\nT1417.002\r\nInput Capture: GUI Input\r\nCapture\r\nIt is able to get the shown UI.\r\nDiscovery T1430 Location Tracking Malware can track the victim's location.\r\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 11 of 12\n\nDiscovery T1418 Software Discovery\r\nMalware collects installed application package\r\nlist.\r\nDiscovery T1426\r\nSystem Information\r\nDiscovery\r\nThe malware collects basic device info.\r\nCollection T1517 Access Notifications\r\nIt registers a receiver to monitor incoming SMS\r\nmessages.\r\nCollection T1513 Screen Capture Malware can record screen content.\r\nCollection T1512 Capture Camera Malware opens camera and takes pictures.\r\nCollection T1429 Audio Capture Malware can mute the device.\r\nCollection T1636.004\r\nProtected User Data:\r\nSMS Messages\r\nSteals SMSs from the infected device.\r\nCollection T1417.001\r\nInput Capture:\r\nKeylogging\r\nMalware can capture keystrokes.\r\nCollection T1417.002\r\nInput Capture: GUI Input\r\nCapture\r\nIt is able to get the shown UI.\r\nCollection T1414 Clipboard Data It has the ability to steal data from the clipboard.\r\nCommand\r\nand Control\r\nT1481.002\r\nWeb Service:\r\nBidirectional\r\nCommunication\r\nIt uses websocket communication to poll the\r\nTA’s server and get the commands to execute.\r\nExfiltration T1646\r\nExfiltration Over C2\r\nChannel\r\nSending exfiltrated data over the C\u0026C server.\r\nImpact T1516 Input Injection\r\nIt displays injected payloads like pattern locks\r\nand mimics banking app login screens through\r\noverlay to steal credentials.\r\nImpact T1582 SMS Control It can read and send SMS.\r\nIndicators of Compromise\r\nThe full list of IOCs can be found in this repository.\r\nSource: https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nhttps://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device\r\nPage 12 of 12\n\n https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device \nFig. 2: Requesting accessibility services to perform fraud \nC2 Communication \nThe malware leverages both websocket and HTTP communication in order to talk with its C2 (Command \u0026\nControl server). In the first phase it uses the HTTP connection (Figure 3) to send basic information of the device\nfor analytics. In a second phase, it uses websocket communication for receiving commands and sending data.\n Page 5 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device" ], "report_names": [ "total-takeover-droidlock-hijacks-your-device" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434557, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ad80da25bf105ad1b1ba6a8260db8721641ced0.pdf", "text": "https://archive.orkl.eu/0ad80da25bf105ad1b1ba6a8260db8721641ced0.txt", "img": "https://archive.orkl.eu/0ad80da25bf105ad1b1ba6a8260db8721641ced0.jpg" } }