App Auto-Start at Device Boot

An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.

An analysis published in 2012[1] of1260 Android malware samples belonging to 49 families of malware determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.

ID: T1402

Tactic Type:  Post-Adversary Device Access

Tactic: Persistence

Platform:  Android

Version: 1.1

Mitigations

MitigationDescription
Application VettingEnterprises could potentially vet apps before allowing their use on devices, and carefully scrutinize apps that declare a BroadcastReceiver containing an intent-filter for BOOT_COMPLETED. Unfortunately this is likely not practical due to the vast number of apps with this behavior.

Examples

NameDescription
Pegasus for Android

Pegasus for Android listens for the BOOT_COMPLETED broadcast intent in order to maintain persistence and activate its functionality at device boot time.[2]

SpyDealer

SpyDealer registers the broadcast receiver to listen for events related to device boot-up.[3]

SpyNote RAT

SpyNote RAT uses an Android broadcast receiver to automatically start when the device boots.[4]

References