AN1660: Analytic 1660

On Android, the user can review which applications can use premium SMS features in the "Special access" page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.

MobileAN1660AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is about mobile-app risk around premium SMS capability and apps requesting SMS-sending permission. The business relevance is cost fraud, user trust, and mobile-device governance: if an app can send SMS or access premium SMS features, organizations need to know whether that capability is expected, approved, and monitored. However, the supplied ATT&CK metadata lists the platform as iOS while the official description refers to Android settings and the Android `SEND_SMS` permission, so teams should treat this as a documentation ambiguity that requires local validation before using it as a control or audit assertion.

Executive priority

Prioritize this as a mobile application governance and compliance-readiness question rather than a confirmed detection rule. Leaders should ask whether managed or corporate mobile devices have an app-vetting process that flags sensitive SMS permissions, whether premium SMS abuse would create financial or reputational exposure, and whether mobile security evidence is available for audits or incident response. Because no tactic, detection logic, or relationships are supplied, this should not be used alone to justify coverage claims.

Technical view

For SOC, mobile security, and IR teams, the concrete validation item is whether app inventory or application vetting can identify applications requesting SMS-sending capability, specifically the `SEND_SMS` permission described in the official text. Teams should also reconcile the platform conflict: ATT&CK metadata says iOS, but the description describes Android premium SMS settings. Do not deploy platform-specific detections until the applicable mobile ecosystem is confirmed. If used operationally, tune for approved business apps that legitimately use SMS and escalate unexpected or newly introduced SMS permissions for review.

Likely telemetry

Mobile application inventory and installed-app metadata
Application permission manifests from mobile app vetting services
Mobile device management or enterprise mobility management records
App approval/allowlist and exception records
User or device reports related to unexpected SMS or premium SMS charges

Detection direction

Validate whether app-vetting tools can surface SMS-related permissions such as `SEND_SMS` as described in the ATT&CK object.
Confirm the applicable platform before implementation because the supplied platform field and description are inconsistent.
Baseline which approved apps have a legitimate business need for SMS capability to reduce false positives.
Look for newly installed, newly updated, or unapproved apps requesting SMS capability, where telemetry supports that review.
Avoid claiming SOC detection coverage from this object alone because the official detection field is not provided and no relationships are supplied.

Mitigation priorities

Maintain a governed mobile app approval process for corporate or managed devices.
Require review of applications requesting sensitive SMS capabilities before approval or deployment.
Use mobile app vetting and device management controls to inventory and restrict high-risk permissions where supported.
Document approved exceptions and review them periodically for compliance evidence.
Include suspected premium SMS or unauthorized SMS behavior in mobile incident response intake and triage procedures.

Analyst notes and limits

The most important analytic value is the permission-governance signal: SMS-sending capability should be uncommon enough to deserve review. The supplied object does not provide tactic mapping, detection logic, or relationship context, and it contains a notable platform mismatch between iOS metadata and Android-specific description. Glexia would treat this as a prompt to validate mobile telemetry and app-vetting controls, not as a ready-to-run detection.

This take uses only the supplied STIX fields, external reference, and relationship context. No official detection text, ATT&CK relationships, aliases, labels, or tactics were provided. The object lists platform iOS, but the description references Android premium SMS settings and `SEND_SMS`; local source validation is required before operational use.

Official MITRE ATT&CK definition

Analytic 1660

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 6e0dd81e3a775114...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`6e0dd81e3a77…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1660
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use