Scheduled Task/Job

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.

On Android, the WorkManager API allows asynchronous tasks to be scheduled with the system. WorkManager was introduced to unify task scheduling on Android, using JobScheduler, GcmNetworkManager, and AlarmManager internally. WorkManager offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).[1]

On iOS, the NSBackgroundActivityScheduler API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.[2]

ID: T1603
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Execution, Persistence
Platforms: Android, iOS
Contributors: Lorin Wu, Trend Micro
Version: 1.0
Created: 04 November 2020
Last Modified: 04 November 2020

Procedure Examples

ID Name Description
S0536 GPlayed

GPlayed has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.[3]

S0545 TERRACOTTA

TERRACOTTA has used timer events in React Native to initiate the foreground service.[4]

S0558 Tiktok Pro

Tiktok Pro has contained an alarm that triggers every three minutes and timers for communicating with the C2.[5]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References