App Auto-Start at Device Boot
An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.
An analysis published in 2012 of 1260 Android malware samples belonging to 49 families of malware determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.
FlexiSpy uses root access to establish reboot hooks to re-install the application from
|Pegasus for Android||Pegasus for Android listens for the BOOT_COMPLETED broadcast intent in order to maintain persistence and activate its functionality at device boot time. |
|SpyDealer||SpyDealer registers the broadcast receiver to listen for events related to device boot-up. |
|SpyNote RAT||SpyNote RAT uses an Android broadcast receiver to automatically start when the device boots. |
|Application Vetting||Enterprises could potentially vet apps before allowing their use on devices, and carefully scrutinize apps that declare a BroadcastReceiver containing an intent-filter for BOOT_COMPLETED. Unfortunately this is likely not practical due to the vast number of apps with this behavior.|
- Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.
- K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.
- Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.