Endpoint Denial of Service

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.

On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.[1]

On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.[2]

ID: T1642
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android, iOS
Version: 1.1
Created: 06 April 2022
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0323 Charger

Charger locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.[3]

S0522 Exobot

Exobot can lock the device with a password and permanently disable the screen.[4]

S0536 GPlayed

GPlayed can lock the user out of the device by showing a persistent overlay.[5]

S0298 Xbot

Xbot can remotely lock infected Android devices and ask for a ransom.[6]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Android 7 changed how the Device Administrator password APIs function.

M1011 User Guidance

Users should be cautioned against granting administrative access to applications.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Permissions Requests

Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.

DS0042 User Interface System Settings

On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate.

References