Skip to content

T1603 Scheduled Task/Job

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.

On Android, the WorkManager API allows asynchronous tasks to be scheduled with the system. WorkManager was introduced to unify task scheduling on Android, using JobScheduler, GcmNetworkManager, and AlarmManager internally. WorkManager offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).1

On iOS, the NSBackgroundActivityScheduler API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.2

Item Value
ID T1603
Sub-techniques
Tactics TA0041, TA0028
Platforms Android, iOS
Version 1.0
Created 04 November 2020
Last Modified 24 October 2022

Procedure Examples

ID Name Description
S0536 GPlayed GPlayed has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.5
S0545 TERRACOTTA TERRACOTTA has used timer events in React Native to initiate the foreground service.3
S0558 Tiktok Pro Tiktok Pro has contained an alarm that triggers every three minutes and timers for communicating with the C2.4

References