Skip to content

T1629.002 Device Lockout

An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using DevicePolicyManager.lockNow(). Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.143

Prior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.2

Item Value
ID T1629.002
Sub-techniques T1629.001, T1629.002, T1629.003
Tactics TA0030
Platforms Android
Version 1.1
Created 01 April 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0524 AndroidOS/MalLocker.B AndroidOS/MalLocker.B can prevent the user from interacting with the UI by using a carefully crafted “call” notification screen. This is coupled with overriding the onUserLeaveHint() callback method to spawn a new notification instance when the current one is dismissed. 1
S0411 Rotexy Rotexy can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, Rotexy periodically switches off the phone screen to inhibit permission removal.3
S0427 TrickMo TrickMo can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.5


ID Mitigation Description
M1006 Use Recent OS Version Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. Android 7 introduced updates that revoke standard device administrators’ ability to reset the device’s passcode.


ID Data Source Data Component
DS0042 User Interface System Settings