Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.[1]
On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.[2]
| ID | Name | Description |
|---|---|---|
| S0323 | Charger |
Charger locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.[3] |
| S0522 | Exobot |
Exobot can lock the device with a password and permanently disable the screen.[4] |
| S0536 | GPlayed |
GPlayed can lock the user out of the device by showing a persistent overlay.[5] |
| S0298 | Xbot |
Xbot can remotely lock infected Android devices and ask for a ransom.[6] |
| ID | Mitigation | Description |
|---|---|---|
| M1006 | Use Recent OS Version |
Android 7 changed how the Device Administrator password APIs function. |
| M1011 | User Guidance |
Users should be cautioned against granting administrative access to applications. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | Permissions Requests |
Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access. |
| DS0042 | User Interface | System Settings |
On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. |