Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1645: Analytic 1645

The defender correlates SMS-relevant permission state or default SMS handler role with subsequent unauthorized SMS send, receive interception, message database modification, deletion, or concealment behavior by an application outside expected messaging workflows. The analytic prioritizes Android-observable control-plane effects: SEND_SMS or RECEIVE_SMS capability, default SMS handler change or exercise of SMS_DELIVER semantics, direct interaction with the SMS content provider or messaging database, and SMS activity occurring from background or locked-device state without recent user interaction.

MobileAN1645AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because SMS control on Android can affect identity verification, account recovery, customer communications, and evidence integrity on managed mobile devices. The decision value is not simply whether an app has SMS permissions, but whether permission or default-handler status is followed by suspicious SMS sending, interception, deletion, concealment, or database changes outside normal messaging workflows.

Executive priority

Security leaders should treat this as a mobile identity and resilience control question: can the organization prove when Android apps gain SMS-relevant capability and whether that capability is used in unexpected ways? This is especially relevant where SMS is still part of authentication, approval, or operational communication processes. Priority should go to environments with managed Android fleets, mobile threat monitoring, or compliance obligations requiring evidence of mobile application behavior and user-consent enforcement.

Technical view

For SOC, mobile security, and IR teams, validate whether Android telemetry can correlate permission state, default SMS handler role, SMS_DELIVER semantics, SMS content provider or messaging database access, and SMS activity from background or locked-device state. Because no standalone ATT&CK detection text or relationships were supplied, teams should build coverage around the observable control-plane effects named in the analytic description rather than infer a specific tactic or intrusion stage.

Likely telemetry

  • Android app permission state for SEND_SMS and RECEIVE_SMS
  • Default SMS handler role changes and usage
  • SMS_DELIVER-related behavior where observable
  • SMS send and receive activity attributed to application/process context
  • Direct access to SMS content provider or messaging database

Detection direction

  • Correlate SMS-relevant capability changes with subsequent SMS activity rather than alerting on permission presence alone.
  • Prioritize apps outside expected messaging workflows, especially when SMS activity occurs in the background or while the device is locked without recent user interaction.
  • Tune for legitimate default SMS applications, carrier/OEM messaging components, enterprise-approved messaging tools, and expected user-driven SMS actions to reduce false positives.
  • Validate whether telemetry can distinguish user-initiated SMS actions from background app behavior; this distinction is likely to decide analytic quality.
  • Confirm whether message database modification, deletion, or concealment is visible in the organization’s Android monitoring stack; this may be a blind spot on unmanaged or lightly monitored devices.

Mitigation priorities

  • Inventory where Android devices are managed and whether SMS permissions and default SMS handler changes are governed.
  • Restrict or review SMS permissions for applications that do not have a business need to send, receive, or manage SMS.
  • Use mobile management controls to enforce approved messaging apps and monitor default SMS handler changes where supported.
  • Reduce business reliance on SMS for sensitive authentication or recovery workflows where stronger alternatives are available.
  • Ensure IR playbooks include collection of mobile app permission history, default-handler changes, SMS event context, and message database artifacts when investigating suspicious Android SMS behavior.
Analyst notes and limits

This object is an ATT&CK mobile detection analytic for Android. The supplied description gives useful analytic logic, but no official detection field, tactics, aliases, labels, or relationship context were provided. Glexia’s interpretation therefore focuses on validation of telemetry, control coverage, and investigation readiness rather than asserting a specific adversary objective or known procedure.

Assessment is limited to the supplied STIX fields, external reference, and absence of relationship context. Local Android version, device management posture, user privacy settings, OEM/carrier behavior, and mobile security tooling will determine whether the named evidence classes are actually collectible and reliable.

Official MITRE ATT&CK definition

Analytic 1645

The defender correlates SMS-relevant permission state or default SMS handler role with subsequent unauthorized SMS send, receive interception, message database modification, deletion, or concealment behavior by an application outside expected messaging workflows. The analytic prioritizes Android-observable control-plane effects: SEND_SMS or RECEIVE_SMS capability, default SMS handler change or exercise of SMS_DELIVER semantics, direct interaction with the SMS content provider or messaging database, and SMS activity occurring from background or locked-device state without recent user interaction.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
c2486d2e62cbd63f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle c2486d2e62cb…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1645
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use