Skip to content

T1541 Foreground Persistence

Adversaries may abuse Android’s startForeground() API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.1 Applications can retain sensor access by running in the foreground, using Android’s startForeground() API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.2

Malicious applications may abuse the startForeground() API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.4

Malicious applications may also abuse the startForeground() API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.3

Item Value
ID T1541
Tactics TA0030, TA0028
Platforms Android
Version 2.1
Created 19 November 2019
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S1054 Drinik Drinik has C2 commands that can move the malware in and out of the foreground. 8
S0485 Mandrake Mandrake uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.6
S0545 TERRACOTTA TERRACOTTA has utilized foreground services.7
S0558 Tiktok Pro Tiktok Pro has shown a persistent notification to maintain access to device sensors.5


ID Mitigation Description
M1011 User Guidance If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.


ID Data Source Data Component
DS0041 Application Vetting API Calls
DS0042 User Interface System Notifications