Newly discovered Android malware strain is targeting Spanish-speaking users in a campaign that can lock victims out of their phones and demand ransom, according to new research.

A report from mobile security firm Zimperium says the malware, dubbed DroidLock, is distributed through phishing websites pushing fake apps that mimic legitimate Android packages. Users are tricked into installing a dropper application that deploys a secondary payload containing the actual malware.

Once activated, DroidLock can take full control of a victim’s phone, locking the screen behind a ransomware-style message that threatens to delete all files within 24 hours unless the user pays up. 

The malware does not encrypt data, but the researchers warn that it has the ability to change the device’s PIN, password or biometric settings — effectively rendering the phone unusable. The malware also exploits device administrator privileges to erase data, silence notifications and capture images with the phone’s front camera.

DroidLock additionally uses a fake Android update screen to block user interaction while malicious activity occurs in the background, and it can secretly record and transmit a victim’s screen activity to a remote server.

Zimperium did not say how many users have been infected or made extortion payments, or who is behind the campaign.

Mobile malware is rapidly evolving as hackers deploy new techniques to deceive victims and circumvent security measures.

In October, researchers identified a new Android banking trojan called Herodotus that evades detection by mimicking human behavior during remote-control operations on infected devices. 

Another recently observed malware strain, Sturnus, can intercept decrypted messages from apps including WhatsApp, Telegram and Signal.