{ "type": "bundle", "id": "bundle--393a9935-5114-4fc4-bb80-8545b22643e4", "spec_version": "2.0", "objects": [ { "type": "x-mitre-analytic", "id": "x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/detectionstrategies/DET0721#AN1853", "external_id": "AN1853" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2026-03-17T15:44:07.335Z", "name": "Analytic 1853", "description": "The defender correlates the arrival, installation, or update of a trusted or expected application with a subsequent deviation in package trust characteristics, permission posture, protected-resource use, framework behavior, or network communication that is inconsistent with the known-good role of that app. The strongest Android evidence is a managed or trusted package whose first-run or post-update behavior introduces unexpected special access, sensitive sensor use, unusual background execution, privileged framework interaction, or outbound communication to destinations outside the app's baseline shortly after installation or update.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_platforms": [ "Android" ], "x_mitre_log_source_references": [ { "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "name": "android:MDMLog", "channel": "Managed or trusted app is newly installed or updated and presents changed package identity, signing relationship, version lineage, installer source, or permission posture inconsistent with approved baseline" }, { "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9", "name": "MobileEDR:telemetry", "channel": "Recently installed or updated trusted app begins background execution, persistent service activity, overlay-like behavior, or lock-state activity inconsistent with its historical baseline or expected first-run sequence" }, { "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "name": "MobileEDR:telemetry", "channel": "Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access" }, { "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "name": "MobileEDR:telemetry", "channel": "Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer" } ], "x_mitre_mutable_elements": [ { "field": "TimeWindow", "description": "Correlation window between install/update and subsequent runtime/network effects." }, { "field": "AllowedAppList", "description": "Approved managed or trusted applications vary by organization and device group." }, { "field": "AllowedInstallerSources", "description": "Permitted installer source or app delivery mechanism differs by fleet and policy." }, { "field": "AllowedSigningBaseline", "description": "Expected signing lineage, certificate relationship, or integrity metadata vary by package." }, { "field": "ForegroundStateRequired", "description": "Some protected-resource use is legitimate only when an app is foregrounded." }, { "field": "RecentUserInteractionWindow", "description": "Defines how close behavior must be to user interaction to be considered expected." }, { "field": "AllowedDestinations", "description": "Expected app destinations, CDNs, APIs, and service providers vary by app and tenant." } ] } ] }