cti/mobile-attack/x-mitre-analytic/x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c.json

{
    "type": "bundle",
    "id": "bundle--393a9935-5114-4fc4-bb80-8545b22643e4",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0721#AN1853",
                    "external_id": "AN1853"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-03-17T15:44:07.335Z",
            "name": "Analytic 1853",
            "description": "The defender correlates the arrival, installation, or update of a trusted or expected application with a subsequent deviation in package trust characteristics, permission posture, protected-resource use, framework behavior, or network communication that is inconsistent with the known-good role of that app. The strongest Android evidence is a managed or trusted package whose first-run or post-update behavior introduces unexpected special access, sensitive sensor use, unusual background execution, privileged framework interaction, or outbound communication to destinations outside the app's baseline shortly after installation or update.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_deprecated": false,
            "x_mitre_version": "1.1",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "x_mitre_platforms": [
                "Android"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
                    "name": "android:MDMLog",
                    "channel": "Managed or trusted app is newly installed or updated and presents changed package identity, signing relationship, version lineage, installer source, or permission posture inconsistent with approved baseline"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
                    "name": "MobileEDR:telemetry",
                    "channel": "Recently installed or updated trusted app begins background execution, persistent service activity, overlay-like behavior, or lock-state activity inconsistent with its historical baseline or expected first-run sequence"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
                    "name": "MobileEDR:telemetry",
                    "channel": "Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
                    "name": "MobileEDR:telemetry",
                    "channel": "Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer"
                }
            ],
            "x_mitre_mutable_elements": [
                {
                    "field": "TimeWindow",
                    "description": "Correlation window between install/update and subsequent runtime/network effects."
                },
                {
                    "field": "AllowedAppList",
                    "description": "Approved managed or trusted applications vary by organization and device group."
                },
                {
                    "field": "AllowedInstallerSources",
                    "description": "Permitted installer source or app delivery mechanism differs by fleet and policy."
                },
                {
                    "field": "AllowedSigningBaseline",
                    "description": "Expected signing lineage, certificate relationship, or integrity metadata vary by package."
                },
                {
                    "field": "ForegroundStateRequired",
                    "description": "Some protected-resource use is legitimate only when an app is foregrounded."
                },
                {
                    "field": "RecentUserInteractionWindow",
                    "description": "Defines how close behavior must be to user interaction to be considered expected."
                },
                {
                    "field": "AllowedDestinations",
                    "description": "Expected app destinations, CDNs, APIs, and service providers vary by app and tenant."
                }
            ]
        }
    ]
}