1. Home
  2. Techniques
  3. Mobile
  4. Boot or Logon Initialization Scripts

Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken.

ID: T1398
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Persistence
Platforms: Android, iOS
MTC ID: APP-26, APP-27
Version: 2.1
Created: 25 October 2017
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1095 AhRat

AhRat can register with the BOOT_COMPLETED broadcast to start when the device turns on.[1]
S1079 BOULDSPY

BOULDSPY can exfiltrate data when the user boots the app, or on device boot.[2]
S1185 LightSpy

LightSpy has established auto-start execution during the system boot process.[3]

S0285 OldBoot

OldBoot uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.[4]

Mitigations

ID Mitigation Description
M1002 Attestation

Device attestation could detect devices with unauthorized or unsafe modifications.

M1003 Lock Bootloader

A locked bootloader could prevent unauthorized modifications to protected operating system files.

M1001 Security Updates

Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files.

M1004 System Partition Integrity

Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0654 Detection of Boot or Logon Initialization Scripts AN1739

Correlates anomalous modifications to boot-time or logon-time initialization artifacts (for example, init.rc, vendor init scripts, app_process or shell hijacks, and malicious BOOT_COMPLETED BroadcastReceivers) with subsequent unauthorized script execution after boot. From the defender’s perspective this appears as integrity or attestation failures on the system partition, unexpected writes to protected init paths, new apps registering for boot events, and privileged processes invoking scripts or binaries from non-standard locations shortly after the device boots.
AN1740

Correlates unauthorized alterations to launchd configuration (LaunchDaemons/LaunchAgents plists), background execution entitlements, or sideloaded app containers with suspicious auto-start behavior during device boot or user unlock. From the defender’s view this shows up as new or modified plist files in launchd directories, launchd starting binaries from non-Apple or non-AppStore locations, and apps with unexpected background modes that remain active immediately after boot/unlock.

References

  1. Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.
  2. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  1. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.
  2. Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.