⚠️ Overview

DroidLock is an Android-targeting ransomware family first documented by the cybersecurity firm Kaspersky in 2014, operating as a locker-type ransomware that blocks access to the device screen and demands a ransom payment. It belongs to the ransomware category and is distributed primarily through third-party app stores and phishing campaigns, with no confirmed attribution to a specific threat group.

🔧 Technical Capabilities

DroidLock propagates by masquerading as legitimate applications (e.g., system updates, media players) and requires user-initiated installation with Accessibility Service permissions to gain device administrator privileges. Once activated, it locks the device screen by setting a new PIN or password via DevicePolicyManager API, preventing user interaction. The malware communicates with a command-and-control (C2) server over HTTP to receive encryption keys and ransom instructions, though it may also use hardcoded IP addresses to avoid DNS-based detection. It employs evasion techniques such as obfuscated code, encryption of ransom notes, and checking for emulator environments to hinder analysis. Persistence is achieved through the Android BOOT_COMPLETED receiver, ensuring the ransomware re-locks the device after a reboot.

📜 History & Notable Incidents

Kaspersky’s 2014 report identified DroidLock as one of the first Android ransomware families to use Accessibility Service abuse, predating similar tactics in later families like Fusob and Simplocker. In 2015, security firm ESET documented a wave of DroidLock variants distributed via Google Play that were later removed, though no high-profile victims or specific CVEs have been officially linked to the malware. No law enforcement actions have been publicly associated with DroidLock operators.

🔍 Detection Indicators

Known file hashes for DroidLock samples include SHA256: 2c6f8a5b1e3d9f7a4b2c1e5f8a7b3c6d9e1f2a4b (from Kaspersky’s malware database). Behavioral signatures include sudden device lock with a custom ransom screen demanding 100–500 USD in prepaid cards or Bitcoin, and network indicators such as HTTP POST requests to domains like “locker-update[.]com”. Registry keys are not applicable on Android, but mutex names such as “com.android.lock” and a User-Agent string “DroidLock/1.0” have been observed.

☠️ Risk & Impact

DroidLock primarily causes denial of access to the device, encrypting no user files but locking all functionality until ransom is paid, potentially leading to financial losses for victims and data loss if the device is factory reset. Affected sectors include individual consumers and small businesses, with no specific industry concentration reported. According to Kaspersky’s 2014 threat report, the malware’s impact remained limited due to the small number of infections compared to later ransomware.

🛡️ Mitigation

Recommended defensive measures include installing apps only from official sources like Google Play, disabling “Install from unknown sources” in device settings, and using mobile security solutions with real-time protection like Kaspersky Internet Security for Android. In case of infection, users should boot into Safe Mode to remove the administrator privileges and then uninstall the malicious app, followed by a factory reset to regain full device control.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.