December 11, 2025 By Pieter Arntz
Researchers have analyzed a new threat campaign actively targeting Android users. The malware, named DroidLock, takes over a device and then holds it for ransom. The campaign to date has primarily targeted Spanish-speaking users, but researchers warn it could spread.
DroidLock is delivered via phishing sites that trick users into installing a malicious app pretending to be, for example, a telecom provider or other familiar brand. The app is really a dropper that installs malware able to take complete control of the device by abusing Device Admin and Accessibility Services permissions.
Once the victim grants accessibility permission, the malware starts approving additional permissions on its own. This can include access to SMS, call logs, contacts, and audio, which gives attackers more leverage in a ransom demand.
DroidLock also leverages Accessibility Services to create overlays on other apps. The overlays can capture device unlock patterns (giving the attacker full access) and also show a fake Android update screen, instructing victims not to power off or restart their devices.
