The New DroidLock Virus Locks Your Phone, Threatens Deletion

Friday, 12 December 2025 at 08:14

Okay, serious security news here. A brand-new kind of Android ransomware, which security people are calling DroidLock, has suddenly popped up and it’s spreading fast. This is seriously dangerous for anyone who downloads apps from sketchy, unofficial websites. Security company Zimperium found it, and they told BleepingComputer about it on December 10th. The malware mostly targets Spanish-speaking users, using phishing sites to trick people. The biggest trick? It uses a fake "system update" screen—it's very similar to other scams we’ve talked about before, like those fake HyperOS fixes.

The way DroidLock works is actually pretty sneaky. It starts with a multi-stage dropper, which looks just like a normal app. When the user agrees to install this fake update, the actual bad software is dropped quietly onto the device. This layering makes it much easier to sneak past someone's notice, especially if their phone security settings are a bit relaxed.

Key points

The DroidLock ransomware targets Android users, spreading primarily through malicious websites that push fake "system update" screens.
The malware is dangerous because it uses a multi-stage dropper and aggressively requests Device Manager and Accessibility Services permissions.
DroidLock enables VNC-based remote control and uses a transparent overlay to steal screen unlock patterns/PINs.
The attack is screen-locking extortion—it does not encrypt files but locks the device completely and threatens deletion within 24 hours.
Users must avoid installing apps outside official stores and be highly skeptical of apps requesting Accessibility permissions.

How This DroidLock Attack Happens

As soon as it installs, DroidLock instantly requests two really critical permissions: Device Manager and Accessibility Services. Getting these two is the key. They let the malware run something like 15 special, malicious commands.

The things DroidLock can do are pretty intense. It can mute your device audio so you don't hear notifications. It can turn on your camera remotely. It can uninstall certain apps. And it can steal all your SMS messages and call logs. Worst of all, it runs a transparent screen overlay to secretly record your screen unlock pattern or PIN, sending that straight to the criminal.

Once they have these permissions, DroidLock opens a VNC-based remote access channel. This basically lets the attacker control your phone like it's right in their hands. The transparent overlay is the ultimate trick—it steals your lock credentials and sends them off.

The Ransom Strategy: Screen Lock, Not File Encrypting

DroidLock doesn’t work like old-school ransomware where they encrypt all your files. No, DroidLock is about screen-locking extortion. They use a persistent WebView overlay that covers the entire screen, blocking all interaction. It also changes device security settings like your PIN or biometric lock. This completely locks you out.

The criminals then show you a big ransom note. They tell you to contact them via a ProtonMail address and issue a scary threat: all your files will be deleted within 24 hours unless you pay up. Since they can change your PIN and even remotely wipe the device, that threat is very real. While they don't encrypt files, the effect is the same—they use pure psychological pressure to make you pay.

Protection Tips

The good news is that Zimperium, as a member of the Google App Defense Alliance, has already shared the DroidLock signature with Google. That means devices with Google Play Protect enabled should automatically detect and block this threat now.

For users, especially those with Xiaomi phones running HyperOS, there are extra steps that can help.

Always run routine malware scans using the Xiaomi, Samsung, Honor, Huawei etc. Security app.
Never install applications from anywhere except the official Google Play Store or your manufacturer's App store. Sideloading is dangerous.
Be extremely careful whenever an app asks for Accessibility permissions. This is a common and deadly attack vector.
Keep your OS updated through official channels.

DroidLock is a serious sign of a new, aggressive wave of Android malware. Because of its multi-stage trickery, strong remote-control features, and that aggressive 24-hour threat, everyone needs to be very careful about where they get their apps and what permissions they approve.