mobile-attack/x-mitre-analytic/x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869.json

{
    "type": "bundle",
    "id": "bundle--966355b9-c598-4e03-988b-9e43ea15f925",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0703#AN1822",
                    "external_id": "AN1822"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-04-09T17:53:31.236Z",
            "name": "Analytic 1822",
            "description": "The defender correlates call-control capability or telecom role state with subsequent unauthorized call initiation, answer, block, redirect, or concealment behavior by an application outside expected telephony workflows. The analytic prioritizes Android-observable control-plane effects: dangerous or role-gated call-control permissions, default dialer or ConnectionService-related role changes, telecom framework invocation for call placement or handling, write activity against call-log records, and call-control activity occurring from background or locked-device context without recent user interaction.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_deprecated": false,
            "x_mitre_version": "1.1",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_platforms": [
                "Android"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
                    "name": "android:MDMLog",
                    "channel": "Managed app granted call-control-relevant permissions or telecom role state inconsistent with approved enterprise function before call-control activity"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
                    "name": "android:MDMLog",
                    "channel": "Default phone or telecom-handling role changes to non-baselined application or managed app unexpectedly becomes dialer/call-handling app during call-control phase"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
                    "name": "MobileEDR:telemetry",
                    "channel": "Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
                    "name": "MobileEDR:telemetry",
                    "channel": "Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history"
                }
            ],
            "x_mitre_mutable_elements": [
                {
                    "field": "TimeWindow",
                    "description": "Correlation window between permission or role state, call-control action, call-log mutation, and follow-on network communication"
                },
                {
                    "field": "AllowedAppList",
                    "description": "Apps legitimately expected to initiate or manage calls, such as default dialers, carrier tools, enterprise communications apps, or approved call-screening apps"
                },
                {
                    "field": "AllowedDialerRoles",
                    "description": "Approved packages allowed to become default dialer or telecom-managing app on managed devices"
                },
                {
                    "field": "AllowedDestinationList",
                    "description": "Approved network destinations associated with legitimate VoIP, carrier, or enterprise communications workflows"
                },
                {
                    "field": "ForegroundStateRequired",
                    "description": "Whether call-control actions should occur only during active user-driven workflows"
                },
                {
                    "field": "CallLogModificationThreshold",
                    "description": "Number of call-log insert, update, or delete operations within a short interval required before alerting"
                },
                {
                    "field": "CallActionRateThreshold",
                    "description": "Maximum expected rate of call placement, answer, redirect, or block actions for legitimate app behavior"
                },
                {
                    "field": "HighRiskNumberPatterns",
                    "description": "Environment-specific list of suspicious, premium-rate, or adversary-known phone-number patterns"
                }
            ]
        }
    ]
}
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`{`
			`"type": "bundle",`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"id": "bundle--966355b9-c598-4e03-988b-9e43ea15f925",`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`"spec_version": "2.0",`
			`"objects": [`
			`{`
			`"type": "x-mitre-analytic",`
			`"id": "x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869",`
			`"created": "2025-10-21T15:10:28.402Z",`
			`"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"revoked": false,`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`"external_references": [`
			`{`
			`"source_name": "mitre-attack",`
			`"url": "https://attack.mitre.org/detectionstrategies/DET0703#AN1822",`
			`"external_id": "AN1822"`
			`}`
			`],`
			`"object_marking_refs": [`
			`"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"`
			`],`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"modified": "2026-04-09T17:53:31.236Z",`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`"name": "Analytic 1822",`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			"description": "The defender correlates call-control capability or telecom role state with subsequent unauthorized call initiation, answer, block, redirect, or concealment behavior by an application outside expected telephony workflows. The analytic prioritizes Android-observable control-plane effects: dangerous or role-gated call-control permissions, default dialer or ConnectionService-related role changes, telecom framework invocation for call placement or handling, write activity against call-log records, and call-control activity occurring from background or locked-device context without recent user interaction.",
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"x_mitre_deprecated": false,`
			`"x_mitre_version": "1.1",`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`"x_mitre_attack_spec_version": "3.3.0",`
			`"x_mitre_domains": [`
			`"mobile-attack"`
			`],`
			`"x_mitre_platforms": [`
			`"Android"`
			`],`
			`"x_mitre_log_source_references": [`
			`{`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",`
			`"name": "android:MDMLog",`
			`"channel": "Managed app granted call-control-relevant permissions or telecom role state inconsistent with approved enterprise function before call-control activity"`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`},`
			`{`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",`
			`"name": "android:MDMLog",`
			`"channel": "Default phone or telecom-handling role changes to non-baselined application or managed app unexpectedly becomes dialer/call-handling app during call-control phase"`
			`},`
			`{`
			`"x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",`
			`"name": "MobileEDR:telemetry",`
			`"channel": "Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase"`
			`},`
			`{`
			`"x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",`
			`"name": "MobileEDR:telemetry",`
			`"channel": "Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history"`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`}`
			`],`
ATT&CK v19.0 Mobile 2026-04-27 15:19:48 -04:00			`"x_mitre_mutable_elements": [`
			`{`
			`"field": "TimeWindow",`
			`"description": "Correlation window between permission or role state, call-control action, call-log mutation, and follow-on network communication"`
			`},`
			`{`
			`"field": "AllowedAppList",`
			`"description": "Apps legitimately expected to initiate or manage calls, such as default dialers, carrier tools, enterprise communications apps, or approved call-screening apps"`
			`},`
			`{`
			`"field": "AllowedDialerRoles",`
			`"description": "Approved packages allowed to become default dialer or telecom-managing app on managed devices"`
			`},`
			`{`
			`"field": "AllowedDestinationList",`
			`"description": "Approved network destinations associated with legitimate VoIP, carrier, or enterprise communications workflows"`
			`},`
			`{`
			`"field": "ForegroundStateRequired",`
			`"description": "Whether call-control actions should occur only during active user-driven workflows"`
			`},`
			`{`
			`"field": "CallLogModificationThreshold",`
			`"description": "Number of call-log insert, update, or delete operations within a short interval required before alerting"`
			`},`
			`{`
			`"field": "CallActionRateThreshold",`
			`"description": "Maximum expected rate of call placement, answer, redirect, or block actions for legitimate app behavior"`
			`},`
			`{`
			`"field": "HighRiskNumberPatterns",`
			`"description": "Environment-specific list of suspicious, premium-rate, or adversary-known phone-number patterns"`
			`}`
			`]`
ATT&CK v18.0 Mobile 2025-10-27 14:36:06 -04:00			`}`
			`]`
			`}`