**New Android Malware "DroidLock" Targets Spanish Users with Ransomware-Like Tactics**
Researchers at Zimperium have uncovered a sophisticated Android malware, dubbed DroidLock, capable of locking device screens, demanding ransom payments, and executing full device takeovers. The malware, which exhibits ransomware-like behavior, also wipes data, alters PINs, intercepts one-time passwords (OTPs), and remotely controls infected devices.
The campaign primarily targeted Spanish Android users through phishing sites, with attackers impersonating Orange S.A., a French telecommunications company. Once installed, DroidLock employs deceptive system update screens to trick victims into granting critical permissions, including Device Admin and Accessibility Services. These permissions enable the malware to perform malicious actions such as factory resets, device locking, PIN changes, and unauthorized access to SMS, call logs, and contacts.
The infection begins with a dropper that prompts users to enable unknown app installations, followed by a secondary payload that exploits accessibility permissions to automate further malicious actions. DroidLock uses two key overlay techniques—Lock Pattern (to capture unlock patterns) and WebView (to display attacker-controlled HTML content)—to manipulate user interactions. It also deploys a fake update screen to prevent users from interrupting its operations.
Additionally, the malware operates as a persistent foreground service, capturing screen activity via MediaProjection and VirtualDisplay, then transmitting the data to a command-and-control (C2) server. This functionality poses a severe risk, potentially exposing credentials, multi-factor authentication (MFA) codes, and other sensitive information.
Zimperium has shared its findings with Google, ensuring protection for up-to-date Android devices. Indicators of Compromise (IoCs) for DroidLock have also been published to aid detection and mitigation.
Source: https://thecyberexpress.com/android-malware-locks-device-demands-ransom/
Orange Madagascar cybersecurity rating report: https://www.rankiteo.com/company/orange-madagascar
"id": "ORA1765576841",
"linkid": "orange-madagascar",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Spanish Android users',
'industry': 'Telecommunications',
'location': 'France',
'name': 'Orange S.A.',
'type': 'Telecommunications company'}],
'attack_vector': 'Phishing sites',
'data_breach': {'data_exfiltration': 'Yes (transmitted to C2 server)',
'personally_identifiable_information': 'Yes (credentials, MFA '
'codes, device unlock '
'patterns)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Screen activity',
'Credentials',
'MFA codes',
'Device unlock patterns',
'SMS',
'Call logs',
'Contacts',
'Audio']},
'description': "A new Android malware dubbed 'DroidLock' locks device screens "
'and demands ransom to prevent data deletion. The malware can '
'wipe devices, change PINs, intercept OTPs, and remotely '
'control the user interface. It targets Spanish Android users '
'via phishing sites, impersonating companies like Orange S.A.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'impersonated companies (e.g., Orange '
'S.A.)',
'data_compromised': 'Screen activity, credentials, MFA codes, '
'device unlock patterns, SMS, call logs, '
'contacts, audio',
'identity_theft_risk': 'High (due to credential and MFA code '
'theft)',
'operational_impact': 'Device lockdown, remote control, data '
'wiping, PIN changes',
'systems_affected': 'Android devices'},
'initial_access_broker': {'backdoors_established': 'Device Admin Permission, '
'Accessibility Services '
'Permission',
'entry_point': 'Phishing sites'},
'investigation_status': 'Ongoing (findings shared with Google)',
'motivation': 'Financial gain (ransom)',
'post_incident_analysis': {'corrective_actions': 'Update Android protections, '
'educate users on phishing '
'risks, and enforce stricter '
'app installation policies',
'root_causes': 'User installation of malicious '
'apps from unknown sources, '
'granting excessive permissions'},
'ransomware': {'data_exfiltration': 'Yes (screen activity transmitted to C2 '
'server)',
'ransom_demanded': 'Yes (to prevent data deletion)',
'ransomware_strain': 'DroidLock'},
'recommendations': 'Avoid installing apps from unknown sources, revoke '
'unnecessary permissions, keep devices updated, and '
'monitor for suspicious activity.',
'references': [{'source': 'Zimperium'}],
'response': {'remediation_measures': 'Google has updated protections for '
'up-to-date Android devices',
'third_party_assistance': 'Zimperium researchers'},
'title': 'DroidLock Android Malware Incident',
'type': 'Malware (Ransomware-like)',
'vulnerability_exploited': 'Accessibility Services Permission, Device Admin '
'Permission'}