T1446 Device Lockout
An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.
On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.1
On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.2
| Item | Value |
|---|---|
| ID | T1446 |
| Sub-techniques | |
| Tactics | TA0034, TA0030 |
| Platforms | Android, iOS |
| Version | 2.0 |
| Created | 25 October 2017 |
| Last Modified | 09 October 2019 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0524 | AndroidOS/MalLocker.B | AndroidOS/MalLocker.B can prevent the user from interacting with the UI by using a carefully crafted “call” notification screen. This is coupled with overriding the onUserLeaveHint() callback method to spawn a new notification instance when the current one is dismissed. 10 |
| S0323 | Charger | Charger locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.5 |
| S0522 | Exobot | Exobot can lock the device with a password and permanently disable the screen.9 |
| S0536 | GPlayed | GPlayed can lock the user out of the device by showing a persistent overlay.11 |
| S0288 | KeyRaider | KeyRaider has built-in functionality to lock victims out of devices and hold them for ransom.2 |
| S0407 | Monokle | Monokle can reset the user’s password/PIN.6 |
| S0411 | Rotexy | Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal.7 |
| S0427 | TrickMo | TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.8 |
| S0298 | Xbot | Xbot can remotely lock infected Android devices and ask for a ransom.4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1005 | Application Vetting | It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. A static analysis approach can be used to identify ransomware apps including apps that abuse Device Administrator access.3 |
| M1007 | Caution with Device Administrator Access | - |
| M1010 | Deploy Compromised Device Detection Method | - |
| M1006 | Use Recent OS Version | - |
References
-
Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019. ↩
-
Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. ↩↩
-
Federico Maggi and Stefano Zanero. (2016). Pocket-Sized Badness - Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. Retrieved December 21, 2016. ↩
-
Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016. ↩
-
Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017. ↩
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩
-
T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. ↩
-
P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. ↩
-
Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. ↩
-
D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020. ↩
-
V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. ↩