T1541: Foreground Persistence
Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.[1] Applications can retain sensor access by running in the foreground, using Android’s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.[2]
Malicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.[3]
Malicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.[4]
Analyst context for executives and security teams
Foreground Persistence matters because it can let a malicious Android app keep running and retain access to sensors such as the camera, microphone, or gyroscope after permissions have already been granted. For leaders, the issue is not just malware persistence; it is whether mobile devices used for business can quietly remain in a state that enables surveillance, fraud, or credential theft while appearing to show a normal persistent notification.
Executive priority
Prioritize this where Android devices are used for executive communications, regulated workflows, banking or payment activity, field operations, or bring-your-own-device access to corporate services. The business question is whether mobile governance, user guidance, and incident response can identify apps abusing foreground services before sensor access, identity exposure, or fraud creates operational or compliance risk.
Technical view
This is an Android mobile technique involving abuse of the startForeground() API to keep an application alive and preserve sensor access, assuming permissions were previously granted. ATT&CK provides no official detection text for T1541, but a related detection strategy, DET0637 Detection of Foreground Persistence, is linked. SOC, mobile security, and IR teams should validate visibility into foreground service behavior, persistent notifications, app permissions, sensor access patterns, and suspicious apps that imitate legitimate applications. Relationship context shows this behavior is used by multiple Android malware/software entries, including Mandrake, TERRACOTTA, Tiktok Pro, Drinik, CherryBlos, and DocSwap.
Likely telemetry
- Android application inventory and package metadata
- Foreground service usage and persistent notification evidence
- Granted app permissions for camera, microphone, gyroscope, SMS, or other sensitive capabilities where available
- Mobile device management or enterprise mobility management compliance records
- Mobile threat defense alerts or app reputation findings
Detection direction
- Validate whether DET0637 or equivalent analytics are implemented for Android foreground service abuse rather than assuming desktop persistence coverage applies.
- Look for apps maintaining foreground services with persistent notifications that do not match expected business use or user activity.
- Correlate foreground service behavior with sensitive permissions and sensor access; the technique depends on previously granted permissions.
- Tune carefully for legitimate apps that require foreground services, such as navigation, audio, health, communications, or enterprise agents.
- Review apps that masquerade as genuine applications, because the ATT&CK description notes malicious apps may present deceptive notifications.
Mitigation priorities
- Apply M1011 User Guidance: train users to question unexpected persistent notifications, app impersonation, and permission prompts for sensors or sensitive data.
- Reduce unnecessary mobile app permissions and remove apps that do not have a clear business need.
- Use managed Android policies, app allowlisting or approved app stores where appropriate, and mobile device compliance checks to limit risky app installation.
- Ensure incident response playbooks include Android app permission review, foreground service review, and preservation of mobile telemetry where available.
- For high-risk users and regulated workflows, require stronger mobile governance and periodic review of installed applications and permissions.
Analyst notes and limits
The key defensive value is confirming whether the organization can see and govern Android foreground services in context with app permissions. This technique becomes materially more serious when sensor access, impersonation, fraud, banking activity, or credential exposure is relevant to the device population. ATT&CK relationships show multiple Android software entries use this behavior, which supports prioritizing mobile detection and response readiness.
ATT&CK lists no tactics and provides no official detection procedure for this technique in the supplied object. The linked detection strategy is named but not described in the supplied fields. Local device management, mobile threat defense, and Android logging capabilities will determine practical visibility. This take does not assert local exposure, active compromise, or guaranteed detection coverage.
Foreground Persistence
Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.[1] Applications can retain sensor access by running in the foreground, using Android’s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.[2]
Malicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.[3]
Malicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S1225: CherryBlos
CherryBlos is an Android malware that steals credentials and redirects cryptocurrency to adversary-controlled wallets. CherryBlos was labelled Robot 999 in its first appearance in April 2023; since then, various aliases have been used, including GPTalk, Happy Miner, and SynthNet. The threat actors behind CherryBlos uploaded the malware to different Google Play regions, such as Malaysia, Vietnam, Indonesia, Philippines, Uganda, and Mexico.[1]
S0485: Mandrake
Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.
Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]
S9005: DocSwap
DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky. DocSwap’s name is a combination of its Korean name “문서열람 인증 앱” (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.[1][2]
S0545: TERRACOTTA
TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]
S1054: Drinik
Drinik is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, Drinik resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.[1]
S0558: Tiktok Pro
Tiktok Pro is spyware that has been masquerading as the TikTok application.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 3d79a3247aa7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Android-SensorsOverview
Google. (n.d.). Sensors Overview. Retrieved November 19, 2019.
Open source URL -
[2]
Android-ForegroundServices
Google. (n.d.). Services overview. Retrieved November 19, 2019.
Open source URL -
[3]
BlackHat Sutter Android Foreground 2019
Thomas Sutter. (2019, December). Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them. Retrieved December 26, 2019.
Open source URL -
[4]
TrendMicro-Yellow Camera
Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.
Open source URL -
[5]
NIST Mobile Threat Catalogue APP-19Open source URL
-
[6]
mitre-attack T1541Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.