Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.
On Android, the WorkManager API allows asynchronous tasks to be scheduled with the system. WorkManager was introduced to unify task scheduling on Android, using JobScheduler, GcmNetworkManager, and AlarmManager internally. WorkManager offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).[1]
On iOS, the NSBackgroundActivityScheduler API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.[2]
| ID | Name | Description |
|---|---|---|
| S0536 | GPlayed |
GPlayed has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.[3] |
| S0545 | TERRACOTTA |
TERRACOTTA has used timer events in React Native to initiate the foreground service.[4] |
| S0558 | Tiktok Pro |
Tiktok Pro has contained an alarm that triggers every three minutes and timers for communicating with the C2.[5] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.