T1624 Event Triggered Execution
Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.
| Item | Value |
|---|---|
| ID | T1624 |
| Sub-techniques | T1624.001 |
| Tactics | TA0028 |
| Platforms | Android |
| Version | 1.1 |
| Created | 30 March 2022 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1079 | BOULDSPY | BOULDSPY uses a background service that can restart itself when the parent activity is stopped.3 |
| S1231 | GodFather | GodFather has executed when victims utilize their trusted banking apps, as the malware redirects the victim to using a malicious version of the banking app.2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1006 | Use Recent OS Version | Android 8 introduced additional limitations on the implicit intents that an application can register for.1 |
References
-
Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020. ↩
-
Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025. ↩
-
Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023. ↩