T1642 Endpoint Denial of Service
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.2
On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.1
| Item | Value |
|---|---|
| ID | T1642 |
| Sub-techniques | |
| Tactics | TA0034 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 06 April 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0323 | Charger | Charger locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.4 |
| S0522 | Exobot | Exobot can lock the device with a password and permanently disable the screen.5 |
| S0536 | GPlayed | GPlayed can lock the user out of the device by showing a persistent overlay.6 |
| S0298 | Xbot | Xbot can remotely lock infected Android devices and ask for a ransom.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1006 | Use Recent OS Version | Android 7 changed how the Device Administrator password APIs function. |
| M1011 | User Guidance | Users should be cautioned against granting administrative access to applications. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | Permissions Requests |
| DS0042 | User Interface | System Settings |
References
-
Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. ↩
-
Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019. ↩
-
Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016. ↩
-
Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017. ↩
-
Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020. ↩
-
V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020. ↩