Device Lockout

An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.

On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.[1]

On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.[2]

ID: T1446
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Impact, Defense Evasion
Platforms: Android, iOS
MTC ID: APP-28
Version: 2.0
Created: 25 October 2017
Last Modified: 09 October 2019

Procedure Examples

ID Name Description
S0524 AndroidOS/MalLocker.B

AndroidOS/MalLocker.B can prevent the user from interacting with the UI by using a carefully crafted "call" notification screen. This is coupled with overriding the onUserLeaveHint() callback method to spawn a new notification instance when the current one is dismissed. [3]

S0323 Charger

Charger locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.[4]

S0522 Exobot

Exobot can lock the device with a password and permanently disable the screen.[5]

S0536 GPlayed

GPlayed can lock the user out of the device by showing a persistent overlay.[6]

S0288 KeyRaider

KeyRaider has built-in functionality to lock victims out of devices and hold them for ransom.[2]

S0407 Monokle

Monokle can reset the user's password/PIN.[7]

S0411 Rotexy

Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal.[8]

S0427 TrickMo

TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.[9]

S0298 Xbot

Xbot can remotely lock infected Android devices and ask for a ransom.[10]

Mitigations

ID Mitigation Description
M1005 Application Vetting

It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. A static analysis approach can be used to identify ransomware apps including apps that abuse Device Administrator access.[11]

M1007 Caution with Device Administrator Access
M1010 Deploy Compromised Device Detection Method
M1006 Use Recent OS Version

Detection

On Android, users can review which applications have device administrator access in the device settings, and revoke permission where appropriate.

References