T1624: Event Triggered Execution
Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.
Analyst context for executives and security teams
Event Triggered Execution matters because Android malware can persist by arranging for code to run automatically when normal device events occur, such as SMS receipt, boot completion, or other system activity. For leaders, the key issue is not the trigger itself but whether mobile security operations can see which apps are subscribed to sensitive events and whether outdated Android versions increase exposure.
Executive priority
Prioritize this where Android devices are part of business access, regulated workflows, or executive/high-risk user populations. Ask whether the organization can prove mobile OS currency, identify apps that register event-based execution mechanisms, and respond when a device repeatedly launches suspicious code after routine events. This technique also supports compliance and audit discussions around mobile device hygiene and persistence detection evidence.
Technical view
For SOC, mobile detection, and IR teams, validate Android-focused coverage for persistence through event subscriptions. The supplied relationship to T1624.001 highlights Broadcast Receivers as the concrete Android sub-technique to examine. Review whether telemetry can show app registration for broadcast intents, changes to event-trigger configuration, execution following boot completion or SMS-related events, and suspicious repetition after device activity. DET0647 is identified as a related detection strategy, but no official detection logic is supplied in the object.
Likely telemetry
- Android application manifest and runtime receiver registration data
- Broadcast intent and event delivery activity, especially boot completion, SMS-related, and other system activity triggers
- Mobile EDR/MDM records for app installation, update, permissions, and execution behavior
- Device OS version and patch/compliance status
- Incident response collection from suspected Android devices showing repeated app execution after normal system events
Detection direction
- Validate whether monitoring covers Android event-triggered persistence, especially Broadcast Receivers under T1624.001.
- Tune for suspicious or newly introduced event subscriptions that point to unknown, unauthorized, or recently installed applications rather than treating all event receivers as malicious.
- Correlate event-triggered execution with app install/update time, permission changes, OS version, and repeated execution after boot or SMS-related activity.
- Use the software relationships to BOULDSPY and GodFather as context that this behavior is represented in known Android malware, without assuming local exposure or active exploitation.
- Account for false positives: legitimate Android apps commonly subscribe to system events, so detection needs app reputation, business authorization, and behavioral context.
Mitigation priorities
- Enforce and evidence recent Android OS versions, aligned to mitigation M1006 Use Recent OS Version.
- Prioritize outdated or unmanaged Android devices for remediation because newer mobile OS versions may include security architecture improvements and blocks against observed adversary techniques.
- Pair OS currency evidence with operational review of apps that register sensitive event triggers, especially on devices used by higher-risk users or business-critical roles.
- Ensure mobile incident response procedures include collection of event-trigger, app, permission, and OS-version evidence before device reset or replacement.
Analyst notes and limits
ATT&CK provides Android as the supported platform and describes persistence through mobile event mechanisms. The relationship set adds DET0647 as a detection strategy, M1006 as mitigation, Broadcast Receivers as a sub-technique, and BOULDSPY/GodFather as software using the behavior. The object does not specify tactics, aliases, or official detection content.
This take is limited to the supplied ATT&CK fields and relationships. No official detection details, tactic mapping, exploit prevalence, customer exposure, or guaranteed telemetry sources are provided. Local mobile management architecture and Android fleet visibility are required to determine actual coverage.
Event Triggered Execution
Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.
Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | Broadcast Receivers subtechnique of this object. |
Groups, software, and campaigns
S1231: GodFather
GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]
S1079: BOULDSPY
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 58ab9908d415… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1624Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.