1. Home
  2. Techniques
  3. Mobile
  4. Foreground Persistence

Foreground Persistence

Adversaries may abuse Android's startForeground() API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.[1] Applications can retain sensor access by running in the foreground, using Android’s startForeground() API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.[2]

Malicious applications may abuse the startForeground() API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.[3]

Malicious applications may also abuse the startForeground() API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.[4]

ID: T1541
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android
MTC ID: APP-19
Contributors: Lorin Wu, Trend Micro
Version: 2.1
Created: 19 November 2019
Last Modified: 12 May 2026

Procedure Examples

ID Name Description
S1225 CherryBlos

CherryBlos has utilized foreground services by showing a notification to evade detection.[5]

S9005 DocSwap

DocSwap has checked for the FOREGROUND_SERVICE permission.[6] DocSwap has also used the StartForeground API to generate a notification saying "Tap to view more details or stop the app" in Korean and to maintain persistence.[7]

S1054 Drinik

Drinik has C2 commands that can move the malware in and out of the foreground. [8]
S0485 Mandrake

Mandrake uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.[9]
S0545 TERRACOTTA

TERRACOTTA has utilized foreground services.[10]
S0558 Tiktok Pro

Tiktok Pro has shown a persistent notification to maintain access to device sensors.[11]

Mitigations

ID Mitigation Description
M1011 User Guidance

If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0637 Detection of Foreground Persistence AN1711

The defender correlates foreground service start or promotion activity with persistent-notification presentation, long-lived application execution, and continued access to while-in-use sensors or network activity outside expected user-driven context. The analytic looks for an application invoking foreground service APIs, sustaining a foreground state longer than expected for its declared role, and retaining camera, microphone, location, or other sensor access while the device is locked, the app lacks recent interaction, or the notification identity/function does not match the application’s behavior.

References

  1. Google. (n.d.). Sensors Overview. Retrieved November 19, 2019.
  2. Google. (n.d.). Services overview. Retrieved November 19, 2019.
  3. Thomas Sutter. (2019, December). Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them. Retrieved December 26, 2019.
  4. Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.
  5. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025.
  6. EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.
  1. Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.
  2. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.
  3. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  4. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.
  5. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.