Mobile Threat Catalogue

Ransoming Assets via Device Management Abuse

Contribute

Threat Category: Malicious or privacy-invasive application

ID: APP-23

Threat Description: Device management features built into Android and iOS allow organizations to develop apps designed to enforce organizational mobile device security policies. Some policy options could be abused by a malicious app to block access to desired functionality (e.g. camera access) until a ransom is paid. Prior to Android 7.0, the Device Administrator role could forcefully set a device unlock code, which could be used to hold the entire device for ransom.

Threat Origin

Android Security 2015 Year In Review 1

Exploit Examples

New Android Trojan xBot Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom 2

CVE Examples

Not Applicable

Possible Countermeasures

Enterprise

Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.

Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.

Use application threat intelligence data about potential abuse of Administrator privileges associated with apps installed on COPE or BYOD devices

Consider the use of devices that support Android 7.0 and later and ensuring a PIN is set. Starting in 7.0, device administrator apps can no longer change the device PIN/password when one is already set, as described in https://developer.android.com/preview/behavior-changes.html and at 44:20 of https://www.youtube.com/watch?v=XZzLjllizYs

Mobile Device User

Use Android Verify Apps feature to identify apps that may abuse Administrator privileges.

Consider the use of devices that support Android 7.0 and later and ensuring a PIN is set. Starting in 7.0, device administrator apps can no longer change the device PIN/password when one is already set, as described in https://developer.android.com/preview/behavior-changes.html and at 44:20 of https://www.youtube.com/watch?v=XZzLjllizYs

References

  1. Android Security 2015 Year In Review, Google, 2016; https://source.android.com/security/reports/Google_Android_Security_2015_Report_Final.pdf [accessed 8/25/2016] 

  2. C. Zheng, et al., “New Android Trojan XBot Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom”, blog, 18 Feb. 2016; http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/ [accessed 8/25/2016]