T1642 Endpoint Denial of Service
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.2
On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.1
| Item | Value |
|---|---|
| ID | T1642 |
| Sub-techniques | |
| Tactics | TA0034 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 06 April 2022 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0323 | Charger | Charger locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.5 |
| S0522 | Exobot | Exobot can lock the device with a password and permanently disable the screen.7 |
| S0536 | GPlayed | GPlayed can lock the user out of the device by showing a persistent overlay.4 |
| S1185 | LightSpy | LightSpy has used the DeleteSpring plugin to render the device’s user interface inoperable by disabling SpringBoard, which is iOS’s home screen manager.6 LightSpy has used the BootDestroy plugin to prevent the victim device from booting by modifying the NVRAM parameter auto-boot to false.6 Additionally, LightSpy has renamed the Wi-Fi daemon to disable wireless connectivity.6 |
| S0298 | Xbot | Xbot can remotely lock infected Android devices and ask for a ransom.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1006 | Use Recent OS Version | Android 7 changed how the Device Administrator password APIs function. |
| M1011 | User Guidance | Users should be cautioned against granting administrative access to applications. |
References
-
Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. ↩
-
Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019. ↩
-
Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016. ↩
-
V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. ↩
-
Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017. ↩
-
Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. ↩↩↩
-
Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. ↩