**New Android Ransomware Campaign Targets Spanish-Speaking Users with DroidLock Malware**
Researchers have uncovered an active threat campaign distributing DroidLock, a sophisticated Android ransomware strain that hijacks devices and demands payment under threats of data destruction. While the campaign has primarily targeted Spanish-speaking users, experts warn it could expand to other regions.
How DroidLock Infects Devices
The malware spreads via phishing sites that impersonate trusted brands, such as telecom providers, tricking victims into downloading a malicious app. Once installed, the app acts as a dropper, exploiting Device Admin and Accessibility Services permissions to gain full control. After securing accessibility access, DroidLock autonomously approves additional permissions—including SMS, call logs, contacts, and audio—to strengthen its leverage for extortion.
Capabilities and Attack Tactics
DroidLock employs Accessibility Services to overlay fake screens, such as a fraudulent Android update prompt, while secretly capturing device unlock patterns and app credentials. Using Virtual Network Computing (VNC), attackers gain real-time remote control, enabling them to:
- Change device PINs to lock users out
- Intercept one-time passwords (OTPs)
- Manipulate notifications, mute audio, or uninstall apps
- Activate the camera for surveillance
- Wipe the device if ransom demands aren’t met
Unlike traditional ransomware, DroidLock does not encrypt files but instead blocks access and threatens permanent data deletion unless payment is made within 24 hours. Victims receive a ransom note with an email contact and device ID, accompanied by countdown timers and warnings against involving authorities or recovery tools.
Researchers’ Findings
Security firm Zimperium highlighted the malware’s ability to bypass security measures and escalate privileges rapidly. The campaign’s success in Spain may prompt its expansion to other markets, raising concerns about its potential global reach.
PSafe US cybersecurity rating report: https://www.rankiteo.com/company/psafeus
"id": "PSA1765476395",
"linkid": "psafeus",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'Primarily Spanish-speaking regions '
'(potential global spread)',
'type': 'Individual users'}],
'attack_vector': 'Phishing (malicious app installation via fake telecom '
'provider or brand impersonation)',
'customer_advisories': 'Users are advised to avoid sideloading apps, verify '
'app legitimacy, and use anti-malware tools. If '
'infected, victims should contact security experts and '
'avoid paying the ransom.',
'data_breach': {'data_encryption': 'No (files not encrypted, but device '
'access is blocked)',
'data_exfiltration': 'Possible (via remote control and VNC)',
'personally_identifiable_information': 'Yes (contacts, SMS, '
'call logs, '
'credentials, OTPs)',
'sensitivity_of_data': 'High (personally identifiable '
'information, authentication data)',
'type_of_data_compromised': 'SMS, call logs, contacts, audio, '
'device unlock patterns, app '
'credentials, OTPs'},
'description': 'Researchers have analyzed a new threat campaign actively '
'targeting Android users with malware named DroidLock. The '
'malware takes over a device and holds it for ransom by '
'abusing Device Admin and Accessibility Services permissions. '
'The campaign primarily targets Spanish-speaking users but '
'could spread globally.',
'impact': {'data_compromised': 'SMS, call logs, contacts, audio, device '
'unlock patterns, app credentials, OTPs',
'identity_theft_risk': 'High (OTP interception, credential theft)',
'operational_impact': 'Device lockout, remote control by '
'attackers, potential data destruction',
'systems_affected': 'Android devices'},
'initial_access_broker': {'backdoors_established': 'Device Admin and '
'Accessibility Services '
'abuse',
'entry_point': 'Phishing sites impersonating '
'telecom providers or brands'},
'investigation_status': 'Ongoing (researchers actively analyzing the '
'campaign)',
'lessons_learned': 'Android users should avoid sideloading apps, scrutinize '
'permissions (especially Accessibility Services), and use '
'real-time anti-malware solutions. Keeping devices updated '
'is critical to prevent exploitation of known '
'vulnerabilities.',
'motivation': 'Financial gain (ransom)',
'post_incident_analysis': {'corrective_actions': 'Enhanced permission '
'controls for Accessibility '
'Services, stricter app '
'store vetting, user '
'education on phishing and '
'sideloading risks, and '
'real-time anti-malware '
'adoption.',
'root_causes': 'Abuse of Android permissions '
'(Device Admin and Accessibility '
'Services), lack of user awareness '
'about sideloading risks, and '
'delayed security updates.'},
'ransomware': {'data_encryption': 'No',
'data_exfiltration': 'Possible (via remote control)',
'ransom_demanded': 'Yes (amount not specified)',
'ransomware_strain': 'DroidLock'},
'recommendations': ['Only install apps from official app stores (Google '
'Play).',
'Avoid installing apps promoted via SMS, email, or '
'messaging apps.',
'Verify developer names, download counts, and user '
'reviews before installing apps.',
'Use up-to-date anti-malware solutions (e.g., '
'Malwarebytes for Android).',
'Scrutinize app permissions, especially for Accessibility '
'Services, SMS, or camera access.',
'Keep Android, Google Play services, and apps updated for '
'security fixes.'],
'references': [{'source': 'Zimperium'}],
'response': {'remediation_measures': 'Uninstall malicious app, use '
'anti-malware solutions (e.g., '
'Malwarebytes for Android), reset device '
'PIN'},
'title': 'DroidLock Android Ransomware Campaign',
'type': 'Ransomware',
'vulnerability_exploited': 'Abuse of Device Admin and Accessibility Services '
'permissions'}