Skip to content

T1642 Endpoint Denial of Service

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.

On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.2

On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.1

Item Value
ID T1642
Tactics TA0034
Platforms Android, iOS
Version 1.1
Created 06 April 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0323 Charger Charger locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.4
S0522 Exobot Exobot can lock the device with a password and permanently disable the screen.5
S0536 GPlayed GPlayed can lock the user out of the device by showing a persistent overlay.6
S0298 Xbot Xbot can remotely lock infected Android devices and ask for a ransom.3


ID Mitigation Description
M1006 Use Recent OS Version Android 7 changed how the Device Administrator password APIs function.
M1011 User Guidance Users should be cautioned against granting administrative access to applications.


ID Data Source Data Component
DS0041 Application Vetting Permissions Requests
DS0042 User Interface System Settings