Lock User Out of Device

An adversary may seek to lock the legitimate user out of the device, for example until a ransom is paid.

On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to lock the user out of the device.

On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been demonstrated that can lock the user out of the device [1].

ID: T1446

Tactic Type:  Post-Adversary Device Access

Tactic: Impact

Platform:  Android, iOS

MTC ID:  APP-28

Version: 1.0

Mitigations

Mitigation Description
Application Vetting It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. Maggi and Zanero4 describe a static analysis approach that can be used to identify ransomware apps including apps that abuse Device Administrator access.[4]
Caution with Device Administrator Access
Deploy Compromised Device Detection Method
Use Recent OS Version

Examples

Name Description
Charger

Charger locks the device if it is granted admin permissions, displaying a message demanding a "ransom" payment.[2]

KeyRaider

KeyRaider has built-in functionality to lock victims out of devices and hold them for ransom.[1]

Xbot

Xbot can remotely lock infected Android devices and ask for a ransom.[3]

References