The sub-techniques beta is now live! Read the release blog post for more info.

App Auto-Start at Device Boot

An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.

An analysis published in 2012[1] of 1260 Android malware samples belonging to 49 families of malware determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.

ID: T1402
Tactic Type: Post-Adversary Device Access
Tactic: Persistence
Platform: Android
Version: 1.1
Created: 25 October 2017
Last Modified: 18 June 2019

Procedure Examples

Name Description

FlexiSpy uses root access to establish reboot hooks to re-install the application from /data/misc/adn. At boot, FlexiSpy spawns daemons for process monitoring, call monitoring, call managing, and system.[2][2]

Pegasus for Android

Pegasus for Android listens for the BOOT_COMPLETED broadcast intent in order to maintain persistence and activate its functionality at device boot time.[5]


SpyDealer registers the broadcast receiver to listen for events related to device boot-up.[4]

SpyNote RAT

SpyNote RAT uses an Android broadcast receiver to automatically start when the device boots.[3]


Mitigation Description
Application Vetting

Enterprises could potentially vet apps before allowing their use on devices, and carefully scrutinize apps that declare a BroadcastReceiver containing an intent-filter for BOOT_COMPLETED. Unfortunately this is likely not practical due to the vast number of apps with this behavior.