mobile-attack/x-mitre-analytic/x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c.json

{
    "type": "bundle",
    "id": "bundle--aac969ee-f9b5-41d5-b781-2c506076c2fd",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0640#AN1715",
                    "external_id": "AN1715"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-04-13T19:26:01.974Z",
            "name": "Analytic 1715",
            "description": "Correlates (1) changes to application visibility or user-facing presence such as launcher component disablement, icon suppression, or reduced discoverability, (2) continued application execution or privileged framework activity after that visibility reduction, and (3) follow-on behavior such as background network communication, sensor access, or persistence-related state transitions. The defender observes a causal chain where an application becomes less visible to the user while retaining or increasing operational activity.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_deprecated": false,
            "x_mitre_version": "1.1",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_platforms": [
                "Android"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
                    "name": "android:MDMLog",
                    "channel": "managed app inventory or launcher-visible state changes show application remains installed but user-facing entry point or launcher component becomes disabled before later runtime activity"
                }
            ],
            "x_mitre_mutable_elements": [
                {
                    "field": "TimeWindow",
                    "description": "Correlation window between visibility suppression and later hidden execution or network activity"
                },
                {
                    "field": "AllowedAppList",
                    "description": "Baseline of legitimate apps allowed to hide launcher presence or disable user-facing components"
                },
                {
                    "field": "ForegroundStateRequired",
                    "description": "Whether post-hide activity is only suspicious when no foreground interaction occurs"
                },
                {
                    "field": "HiddenComponentThreshold",
                    "description": "Threshold for number or type of launcher-visible components disabled before raising suspicion"
                },
                {
                    "field": "UplinkBytesThreshold",
                    "description": "Minimum outbound traffic volume used to distinguish meaningful hidden operation from benign background telemetry"
                },
                {
                    "field": "SensorAfterHideThreshold",
                    "description": "Threshold for sensor access frequency after visibility suppression"
                }
            ]
        }
    ]
}
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`{`
			`"type": "bundle",`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"id": "bundle--aac969ee-f9b5-41d5-b781-2c506076c2fd",`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`"spec_version": "2.0",`
			`"objects": [`
			`{`
			`"type": "x-mitre-analytic",`
			`"id": "x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c",`
			`"created": "2025-10-21T15:10:28.402Z",`
			`"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"revoked": false,`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`"external_references": [`
			`{`
			`"source_name": "mitre-attack",`
			`"url": "https://attack.mitre.org/detectionstrategies/DET0640#AN1715",`
			`"external_id": "AN1715"`
			`}`
			`],`
			`"object_marking_refs": [`
			`"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"`
			`],`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"modified": "2026-04-13T19:26:01.974Z",`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`"name": "Analytic 1715",`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			"description": "Correlates (1) changes to application visibility or user-facing presence such as launcher component disablement, icon suppression, or reduced discoverability, (2) continued application execution or privileged framework activity after that visibility reduction, and (3) follow-on behavior such as background network communication, sensor access, or persistence-related state transitions. The defender observes a causal chain where an application becomes less visible to the user while retaining or increasing operational activity.",
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"x_mitre_deprecated": false,`
			`"x_mitre_version": "1.1",`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`"x_mitre_attack_spec_version": "3.3.0",`
			`"x_mitre_domains": [`
			`"mobile-attack"`
			`],`
			`"x_mitre_platforms": [`
			`"Android"`
			`],`
			`"x_mitre_log_source_references": [`
			`{`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",`
			`"name": "android:MDMLog",`
			`"channel": "managed app inventory or launcher-visible state changes show application remains installed but user-facing entry point or launcher component becomes disabled before later runtime activity"`
			`}`
			`],`
			`"x_mitre_mutable_elements": [`
			`{`
			`"field": "TimeWindow",`
			`"description": "Correlation window between visibility suppression and later hidden execution or network activity"`
			`},`
			`{`
			`"field": "AllowedAppList",`
			`"description": "Baseline of legitimate apps allowed to hide launcher presence or disable user-facing components"`
			`},`
			`{`
			`"field": "ForegroundStateRequired",`
			`"description": "Whether post-hide activity is only suspicious when no foreground interaction occurs"`
			`},`
			`{`
			`"field": "HiddenComponentThreshold",`
			`"description": "Threshold for number or type of launcher-visible components disabled before raising suspicion"`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`},`
			`{`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"field": "UplinkBytesThreshold",`
			`"description": "Minimum outbound traffic volume used to distinguish meaningful hidden operation from benign background telemetry"`
			`},`
			`{`
			`"field": "SensorAfterHideThreshold",`
			`"description": "Threshold for sensor access frequency after visibility suppression"`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`}`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`]`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`}`
			`]`
			`}`