1. Home
  2. Techniques
  3. Mobile
  4. Event Triggered Execution

Event Triggered Execution

ID Name
T1624.001 Broadcast Receivers

Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.

ID: T1624
Sub-techniques:  T1624.001
Tactic Type: Post-Adversary Device Access
Tactic: Persistence
Platforms: Android
Version: 1.1
Created: 30 March 2022
Last Modified: 20 March 2023
Version Permalink

Procedure Examples

ID Name Description
S1079 BOULDSPY

BOULDSPY uses a background service that can restart itself when the parent activity is stopped.[1]

Mitigations

ID Mitigation Description
M1006 Use Recent OS Version

Android 8 introduced additional limitations on the implicit intents that an application can register for.[2]

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Permissions Requests

Application vetting services can detect which broadcast intents an application registers for and which permissions it requests.

References

  1. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  1. Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.