T1603: Scheduled Task/Job
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.
On Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).[1]
On iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.[2]
Analyst context for executives and security teams
Scheduled Task/Job (T1603) matters because mobile apps can use legitimate Android and iOS background scheduling features to make code run later or repeatedly. For security leaders, the risk is not the API itself; it is whether enterprise mobile controls, app review, and incident response can distinguish expected background activity from malicious persistence or recurring execution in managed devices and approved apps.
Executive priority
Prioritize this where mobile devices have access to sensitive business data, identity tokens, messaging, or operational workflows. Leaders should ask whether mobile security monitoring can identify suspicious background execution behavior, whether app approval processes review use of scheduling APIs, and whether incident responders can preserve enough mobile evidence to explain recurring activity. The ATT&CK record links this technique to Android software examples, so Android mobile risk review is especially relevant; iOS remains in scope because the official technique describes iOS scheduling APIs as well.
Technical view
For Android, validate visibility into applications using WorkManager and related scheduling mechanisms that may rely on JobScheduler, GcmNetworkManager, or AlarmManager. For iOS, validate whether app assessment or device telemetry can expose use of NSBackgroundActivityScheduler or recurring background activity patterns. ATT&CK provides no official detection text and no tactic mapping for this object, so SOC teams should not assume standard alert logic exists. Use the related detection strategy DET0707 as a pointer for local engineering, and correlate scheduled/background execution with app provenance, permissions, network activity, battery/charging constraints, and user expectations. Relationship context shows Android software GPlayed, TERRACOTTA, and Tiktok Pro using this behavior, which supports treating recurring mobile background execution as a behavior worth validating during triage.
Likely telemetry
- Mobile device management or enterprise mobility management inventory and compliance state
- Mobile threat defense or endpoint telemetry for app behavior and background execution
- Android app manifests, runtime behavior, WorkManager/JobScheduler/AlarmManager-related observations where available
- iOS app assessment data and background activity indicators where available
- Application provenance, install source, signing, version, and approval status
Detection direction
- Validate whether DET0707 or local detection content exists for scheduled mobile background execution; ATT&CK does not provide detection details for this technique.
- Baseline expected scheduled behavior for approved enterprise and productivity apps before alerting on recurrence alone, because legitimate apps commonly schedule background tasks.
- Prioritize suspicious combinations: unapproved app plus recurring execution, scheduling behavior plus sensitive permissions, background execution plus unexpected network traffic, or execution aligned with charging/idle constraints.
- Separate Android and iOS coverage claims. Android API visibility may differ from iOS, and the ATT&CK relationships supplied here only identify Android software examples.
- Account for blind spots from personal devices, unmanaged devices, limited mobile telemetry retention, and platform privacy restrictions that may hide exact task scheduling details.
Mitigation priorities
- Start with mobile asset and app governance: know which devices are managed, which apps are approved, and which apps can access business data.
- Strengthen app vetting to review background execution needs, scheduling API usage, permissions, install source, and developer trust before approval.
- Use mobile device management and mobile threat defense controls to restrict untrusted apps, enforce compliance, and support containment or removal during investigations.
- For incident readiness, document how to collect mobile app inventory, execution indicators, network evidence, and relevant forensic artifacts before a suspected app is wiped or updated.
- For compliance evidence, retain policy, app approval, telemetry, and response records showing how recurring background mobile activity is governed and investigated.
Analyst notes and limits
The supplied ATT&CK object describes legitimate Android and iOS scheduling APIs that adversaries may abuse for initial or recurring execution. No official detection guidance, tactic mapping, aliases, or labels are provided. The relationship set includes one detection strategy and three Android software examples, which is useful context but not proof of coverage or current activity in any environment.
This take is constrained to the supplied ATT&CK fields and relationships. It does not establish active exploitation, attribution, prevalence, or guaranteed detectability. Local mobile management scope, platform logging, app inventory, and telemetry retention determine whether this behavior can be validated in practice.
Scheduled Task/Job
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.
On Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).[1]
On iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S1083: Chameleon
Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]
S0545: TERRACOTTA
TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]
S0536: GPlayed
S0558: Tiktok Pro
Tiktok Pro is spyware that has been masquerading as the TikTok application.[1]
S1231: GodFather
GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 94b2510c1278… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Android WorkManager
Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.
Open source URL -
[2]
Apple NSBackgroundActivityScheduler
Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.
Open source URL -
[3]
mitre-attack T1603Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.