Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1646: Analytic 1646

Defender correlates an app enumerating installed packages (PackageManager queries or shell 'pm list packages') with selective checks for high-value targets (banking/identity/security apps) and near-term persistence/egress of the inventory. Chain: capability to query apps → burst of enumeration calls or shell listing → optional foreground target detection → local inventory file → small POST to remote endpoint.

MobileAN1646AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because an Android app that inventories installed packages can learn whether a user has banking, identity, or security apps installed and then exfiltrate that profile. For leaders, the business issue is not just app discovery; it is whether mobile security monitoring can spot sensitive-app profiling before it supports fraud, credential targeting, or follow-on abuse.

Executive priority

Prioritize this as a mobile risk and evidence question: do managed mobile, SOC, and incident response teams have visibility into Android package-enumeration behavior, local inventory creation, and small outbound POST activity from apps? It is especially relevant where employees use Android devices for identity, banking, privileged access, or business communications. Because ATT&CK provides no tactic mapping or relationships here, treat it as a validation item for mobile telemetry readiness rather than proof of a specific threat campaign.

Technical view

For Android, validate whether telemetry can correlate three signals from the same app in a near-term sequence: use of PackageManager queries or shell-based package listing, selective checks for high-value app categories such as banking, identity, or security tools, and persistence or egress of the resulting inventory through a local file followed by a small POST to a remote endpoint. Detection engineering should focus on correlation and context, since legitimate device-management, security, or productivity apps may also enumerate packages.

Likely telemetry

  • Android app behavior telemetry covering PackageManager package queries
  • Shell command or process telemetry for use of pm list packages where available
  • Mobile endpoint or EDR telemetry showing local file creation or modification that stores app inventory
  • Network telemetry showing small HTTP POST requests from the app to a remote endpoint
  • Application identity, signing, install source, and reputation/context metadata

Detection direction

  • Build or validate correlation logic across enumeration burst, high-value app checks, local inventory persistence, and near-term outbound POST from the same app.
  • Tune detections to distinguish expected package enumeration by managed security, enterprise mobility, launcher, backup, or device-management apps from unusual behavior by low-trust or newly installed apps.
  • Confirm whether Android telemetry exposes PackageManager queries; many environments may only see network or app reputation data, creating a major blind spot.
  • Use app identity, signing certificate, install source, user role, device ownership, and destination reputation as enrichment rather than relying on a single package-listing signal.
  • Because ATT&CK supplies no tactic mapping, relationship context, or official detection text, avoid over-scoping this analytic beyond the described Android behavior chain.

Mitigation priorities

  • Inventory which Android devices and user groups require mobile threat detection or managed-device visibility, especially those used for identity, privileged access, or sensitive business workflows.
  • Restrict installation sources and enforce mobile device management or mobile application management controls where appropriate.
  • Review permissions, app provenance, and allow/deny policies for apps that can enumerate installed packages or behave suspiciously after install.
  • Ensure incident response playbooks include mobile evidence collection for app behavior, local files, and outbound network activity.
  • Use compliance and audit processes to document whether mobile monitoring can support investigations involving sensitive-app profiling and data egress.
Analyst notes and limits

This Glexia take is based on a detection analytic object for Android in the mobile ATT&CK domain. The most decision-relevant element is the described behavior chain: package enumeration, selective checks for high-value apps, inventory persistence, and small POST egress. No relationships were supplied, so there is no ATT&CK-linked technique, actor, software, or campaign context to add.

Official detection content, tactics, labels, aliases, and relationship context were not supplied. Local telemetry availability will determine whether this can be detected directly or only inferred from network/app-risk signals. This summary does not claim active exploitation, attribution, impact, or guaranteed coverage.

Official MITRE ATT&CK definition

Analytic 1646

Defender correlates an app enumerating installed packages (PackageManager queries or shell 'pm list packages') with selective checks for high-value targets (banking/identity/security apps) and near-term persistence/egress of the inventory. Chain: capability to query apps → burst of enumeration calls or shell listing → optional foreground target detection → local inventory file → small POST to remote endpoint.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
02baada956303055...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 02baada95630…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1646
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use