AN1657: Analytic 1657
The defender correlates app-driven shell-launch behavior with subsequent execution of Unix shell processes or shell-script activity under the same app context, especially when execution occurs from background state, without recent user interaction, or is followed by file-system, privilege-escalation, or network effects inconsistent with the app's declared role. The analytic prioritizes Android-observable control-plane effects: Runtime or ProcessBuilder invocation, spawn of sh/toybox/toolbox/su or equivalent shell process, script-file staging or redirected output, and post-execution network or local artifact creation.
Analyst context for executives and security teams
This analytic matters because an Android app that launches a shell can cross an important trust boundary: behavior that looks like a normal mobile app may actually be driving command execution, script activity, file changes, privilege-related actions, or network activity. For executives and security leaders, the decision point is whether mobile security monitoring can distinguish expected app behavior from app-controlled command execution that could affect sensitive data, managed devices, or operational workflows that rely on Android endpoints.
Executive priority
Prioritize this as a mobile endpoint visibility and incident-readiness question, not just a malware-detection rule. Leaders should ask whether Android fleets, especially managed or business-critical devices, produce enough telemetry to prove when an app spawns shell processes such as sh, toybox, toolbox, or su, and whether the SOC can correlate that activity with app context, background execution, user interaction, filesystem changes, privilege-related effects, and network behavior. This supports control validation, mobile risk management, and compliance evidence where organizations must demonstrate monitoring over managed endpoints.
Technical view
For Android, validate whether telemetry can correlate app-driven Runtime or ProcessBuilder invocation with subsequent Unix shell process or shell-script activity under the same app context. Detection engineering should focus on context: shell execution from a background app state, no recent user interaction, script-file staging, redirected output, local artifact creation, post-execution network activity, or privilege-escalation-related effects inconsistent with the app’s declared role. Because ATT&CK provides no separate detection text and no relationship context for this analytic, local baselining is essential to separate legitimate enterprise apps, device-management tooling, testing utilities, and OEM behavior from suspicious app-controlled shell activity.
Likely telemetry
- Android app/process execution telemetry showing app context and spawned child processes
- Signals for Runtime or ProcessBuilder-style command invocation where available
- Process names and command context for sh, toybox, toolbox, su, or equivalent shell processes
- App foreground/background state and recent user-interaction indicators
- Filesystem telemetry for script staging, redirected output, or newly created local artifacts
Detection direction
- Confirm that Android telemetry preserves package/app identity, process lineage, timestamps, and foreground/background state; without these, correlation quality will be weak.
- Build correlation around app-to-shell execution followed by filesystem, privilege-related, or network effects rather than alerting on shell process names alone.
- Tune for declared app role and expected behavior to reduce false positives from device management tools, developer utilities, diagnostic apps, OEM components, or legitimate automation.
- Prioritize cases with background execution, no recent user interaction, script staging, redirected output, or post-execution effects inconsistent with the app’s normal purpose.
- Validate retention and queryability across mobile endpoint, MDM, EDR, and network logs so incident responders can reconstruct the app context around shell activity.
Mitigation priorities
- Establish an inventory of managed Android apps and their expected roles so shell-launching behavior can be judged against business need.
- Restrict app installation sources and enforce mobile device management controls where applicable to reduce unmanaged app execution risk.
- Review permissions, device posture, and app trust decisions for applications that can execute commands or create local artifacts.
- Ensure SOC and IR playbooks include triage steps for app-driven shell execution, including package identity, user interaction state, filesystem artifacts, and network follow-on activity.
- Use findings from detections to refine mobile application allowlisting, configuration hardening, and compliance evidence for managed Android endpoints.
Analyst notes and limits
This is a detection analytic object for the ATT&CK mobile domain and Android platform. Its value is in correlating app-driven shell launch behavior with subsequent shell, script, filesystem, privilege-related, and network effects. No tactics, related techniques, groups, software, mitigations, or separate official detection procedure were supplied, so the take is intentionally framed around validation of telemetry and analytic design rather than threat attribution or confirmed coverage.
The supplied ATT&CK fields do not include tactic mappings, relationships, active exploitation claims, specific mitigations, or a formal detection procedure beyond the analytic description. Practical fidelity depends on the organization’s Android management model, available mobile telemetry, app inventory, and ability to correlate process, app state, filesystem, privilege-related, and network evidence.
Analytic 1657
The defender correlates app-driven shell-launch behavior with subsequent execution of Unix shell processes or shell-script activity under the same app context, especially when execution occurs from background state, without recent user interaction, or is followed by file-system, privilege-escalation, or network effects inconsistent with the app's declared role. The analytic prioritizes Android-observable control-plane effects: Runtime or ProcessBuilder invocation, spawn of sh/toybox/toolbox/su or equivalent shell process, script-file staging or redirected output, and post-execution network or local artifact creation.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a3ab19875a7c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1657Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.