Impair Defenses: Device Lockout

An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using DevicePolicyManager.lockNow(). Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted "call" notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.[1][2][3]

Prior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.[4]

ID: T1629.002
Sub-technique of:  T1629
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
MTC ID: APP-22
Version: 1.1
Created: 01 April 2022
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0524 AndroidOS/MalLocker.B

AndroidOS/MalLocker.B can prevent the user from interacting with the UI by using a carefully crafted "call" notification screen. This is coupled with overriding the onUserLeaveHint() callback method to spawn a new notification instance when the current one is dismissed. [1]

S0411 Rotexy

Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal.[3]

S0427 TrickMo

TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.[5]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. Android 7 introduced updates that revoke standard device administrators’ ability to reset the device’s passcode.

Detection

ID Data Source Data Component Detects
DS0042 User Interface System Settings

The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.

References