1. Home
  2. Techniques
  3. Mobile
  4. Impair Defenses
  5. Device Lockout

Impair Defenses: Device Lockout

ID Name
T1629.001 Prevent Application Removal
T1629.002 Device Lockout
T1629.003 Disable or Modify Tools

An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using DevicePolicyManager.lockNow(). Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted "call" notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.[1][2][3]

Prior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.[4]

ID: T1629.002
Sub-technique of:  T1629
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android
MTC ID: APP-22
Version: 1.1
Created: 01 April 2022
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0524 AndroidOS/MalLocker.B

AndroidOS/MalLocker.B can prevent the user from interacting with the UI by using a carefully crafted "call" notification screen. This is coupled with overriding the onUserLeaveHint() callback method to spawn a new notification instance when the current one is dismissed. [1]
S0411 Rotexy

Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal.[3]
S0427 TrickMo

TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.[5]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. Android 7 introduced updates that revoke standard device administrators’ ability to reset the device’s passcode.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0603 Detection of Device Lockout AN1652

Correlates (1) acquisition or presence of elevated control paths capable of forcing a lock state or blocking user interaction, (2) invocation of screen-locking or UI-denial behavior such as DevicePolicyManager lock operations, persistent overlays, accessibility-driven navigation interruption, or foreground lock-screen impersonation, and (3) immediate transition of the device into an unavailable or repeatedly re-locked state while the responsible application remains installed and active. The defender observes a causal chain where an application first gains the ability to control lock-related behavior, then forces or simulates lockout, and the device becomes unusable to the legitimate user.

References

  1. D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.
  2. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  3. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  1. Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.
  2. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.