T1624.001: Broadcast Receivers
Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.
An intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.
In addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.
In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.[1]
Analyst context for executives and security teams
Broadcast Receivers matter because they let an Android app wake up or act when device or application events occur, such as SMS receipt, boot completion, network changes, or screen unlock. For a business, the risk is not the broadcast mechanism itself, which is normal Android behavior, but malicious or unwanted apps using it for persistence or event-driven execution on managed or employee devices.
Executive priority
Prioritize this where Android devices are used for privileged work, financial approval, messaging, field operations, or access to sensitive applications. Leaders should ask whether mobile device governance can identify risky apps, confirm Android OS currency, and provide incident responders with enough evidence to determine whether an app is reacting to system or other-app events. The supplied mitigation relationship points to keeping mobile OS versions current, especially because Android 8/API level 26 introduced restrictions on many manifest-registered implicit broadcasts.
Technical view
This is an Android sub-technique of Event Triggered Execution. SOC, mobile security, and IR teams should validate whether they can inspect installed apps for declared broadcast receivers, understand which receivers are registered at runtime when an app is active, and correlate suspicious app behavior with system or application broadcast events. ATT&CK does not provide detection text for this object, but it does identify DET0711, Detection of Broadcast Receivers, as related detection strategy context. Relationship context also shows repeated use by Android malware and surveillanceware families, so receiver analysis should be part of mobile malware triage rather than treated as inherently malicious by itself.
Likely telemetry
- Android application package metadata, including manifest-declared broadcast receivers and requested intent filters
- Runtime or dynamic analysis evidence showing context-registered broadcast receivers while an app is in use
- Mobile device inventory with installed applications, package names, versions, sources, and Android OS/API level
- Mobile security or EMM/MDM events for suspicious app behavior, app installation, app update, and policy violations
- Device event context such as boot completion, SMS receipt, network changes, user unlock, or relevant inter-application broadcasts where available
Detection direction
- Do not alert solely on the presence of broadcast receivers; legitimate Android applications commonly use them. Focus review on receivers tied to sensitive triggers, unexpected persistence behavior, or actions inconsistent with the app’s business purpose.
- Tune detection around Android version differences. On Android 8/API level 26 and later, many manifest-registered implicit broadcasts are restricted, so runtime receiver behavior and app-in-use context may be more important.
- For high-risk apps, compare declared receivers and intent filters against observed behavior during dynamic analysis or sandboxing.
- Use relationship context to inform triage: the technique is associated in ATT&CK with multiple Android malware categories, including RATs, spyware, banking trojans, adware, ransomware, and surveillanceware, but local evidence is required before concluding maliciousness.
- Validate whether mobile telemetry covers personally owned or unmanaged Android devices if those devices can access enterprise data; this is a common visibility gap for mobile persistence behaviors.
Mitigation priorities
- Maintain recent Android OS versions where business constraints allow, aligning with ATT&CK mitigation M1006 Use Recent OS Version.
- Use mobile device management or equivalent governance to inventory Android OS/API level, installed applications, and app sources for devices accessing enterprise resources.
- Prioritize review of apps that request broad access or handle sensitive workflows, especially if they register receivers for boot, SMS, unlock, network, or other high-signal events.
- Restrict enterprise access from devices that cannot meet minimum OS and app governance requirements, where policy permits.
- Include broadcast receiver analysis in mobile malware response playbooks and application risk reviews rather than relying only on network indicators.
Analyst notes and limits
This object is Android-specific and is a sub-technique of Event Triggered Execution. ATT&CK relationships show use by campaign C0033 and numerous Android software entries, including SpyNote RAT, Pegasus for Android, SpyDealer, FlexiSpy, SimBad, GolfSpy, TrickMo, EventBot, DEFENSOR ID, FakeSpy, Exobot, AndroidOS/MalLocker.B, Android/AdDisplay.Ashas, GPlayed, HenBox, TERRACOTTA, Tiktok Pro, AhRat, and FlixOnline. Those relationships support treating the behavior as relevant to mobile persistence and malware triage, not as proof that any given app is malicious.
ATT&CK provides no official detection text and no tactic value for this object in the supplied fields. The take therefore identifies validation and telemetry priorities rather than guaranteed detections. Determining risk requires local app inventory, Android version data, app behavior analysis, and enterprise mobile access context.
Broadcast Receivers
Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.
An intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.
In addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.
In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1624 | Event Triggered Execution | This object subtechnique of Event Triggered Execution. |
| Mobile | T1402 | Broadcast Receivers | Broadcast Receivers revoked by this object. |
Groups, software, and campaigns
S0305: SpyNote RAT
SpyNote RAT (Remote Access Trojan) is a family of malicious Android apps. The SpyNote RAT builder tool can be used to develop malicious apps with the malware's functionality. [1]
S0427: TrickMo
S0524: AndroidOS/MalLocker.B
AndroidOS/MalLocker.B is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. [1]
S0316: Pegasus for Android
Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. [1] [2] The iOS version is tracked separately under Pegasus for iOS.
S1195: SpyC23
SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]
There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.
S0419: SimBad
SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.[1]
S0509: FakeSpy
S0522: Exobot
S0421: GolfSpy
GolfSpy is Android spyware deployed by the group Bouncing Golf.[1]
S0558: Tiktok Pro
Tiktok Pro is spyware that has been masquerading as the TikTok application.[1]
S0536: GPlayed
S1103: FlixOnline
FlixOnline is an Android malware, first detected in early 2021, believed to target users of WhatsApp. FlixOnline primarily spreads via automatic replies to a device’s incoming WhatsApp messages.[1]
C0033: C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 840c2ee94fa2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Android Changes to System Broadcasts
Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.
Open source URL -
[2]
mitre-attack T1624.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.