Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1669: Analytic 1669

A defender correlates navigation to external web content in a browser or embedded WebView with immediate script-heavy or exploit-preparation network activity, followed by abnormal browser/WebView process behavior, suspicious file or download artifacts, or rapid post-visit capability shifts such as new package install attempts, overlay prompts, permission requests, or outbound command traffic inconsistent with normal browsing.

MobileAN1669AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because Android browsing and embedded WebView activity can be an entry point for unwanted capability changes on a device. For leaders, the decision value is whether mobile security monitoring can connect a user’s visit to external web content with what happens immediately afterward: unusual network activity, abnormal browser/WebView behavior, suspicious downloads, install attempts, overlay prompts, permission requests, or outbound traffic that does not look like normal browsing.

Executive priority

Prioritize this as a mobile monitoring and incident-readiness question rather than a single alert rule. Executives and security leaders should ask whether Android endpoints, managed mobile devices, and mobile applications using WebView produce enough evidence to reconstruct post-visit behavior. This supports business continuity, compliance evidence, and incident decision-making by helping teams distinguish ordinary web use from suspicious chains that may require device isolation, user support, application review, or broader mobile risk response.

Technical view

For SOC, detection engineering, and IR teams, validate whether Android telemetry can correlate browser or embedded WebView navigation to external content with near-term changes in network, process, file/download, package-install, overlay, permission, and outbound command-like activity. Because the ATT&CK object provides an analytic description but no formal detection logic or tactic mapping, teams should implement this as a correlation pattern and tune it against normal browsing, application update, authentication, and in-app WebView behavior.

Likely telemetry

  • Android browser and embedded WebView navigation events, where available
  • Network connection and DNS/URL telemetry around external web content access
  • Indicators of script-heavy or exploit-preparation network activity, if observable in existing tooling
  • Browser or WebView process behavior and crash/anomaly signals
  • File and download artifact metadata on Android devices

Detection direction

  • Validate time-window correlation from external web or WebView navigation to immediate suspicious follow-on behavior.
  • Tune for common benign causes such as normal browsing, legitimate downloads, application updates, sign-in flows, and expected in-app WebView activity.
  • Treat single signals as weaker than chained evidence; the analytic is strongest when network, process, artifact, install, permission, overlay, or outbound traffic changes align after a visit.
  • Confirm whether mobile device management, endpoint, network, or application logs actually expose embedded WebView activity; this is a likely blind spot.
  • Define escalation criteria for rapid post-visit capability shifts such as package install attempts, new permission requests, overlay prompts, or unusual outbound traffic.

Mitigation priorities

  • Inventory Android devices and applications where browser and embedded WebView activity is business-relevant.
  • Ensure mobile logging and retention are sufficient for post-visit reconstruction across network, application, and device events.
  • Harden mobile application and device policies around untrusted downloads, package installation, permission prompts, and overlay behavior where administratively feasible.
  • Prepare IR playbooks for suspicious Android post-browsing activity, including evidence preservation, user triage, and device containment decisions.
  • Use findings to improve mobile security control coverage and compliance evidence rather than assuming visibility exists.
Analyst notes and limits

This is a detection analytic object for Android in the mobile ATT&CK domain. No relationships, tactic mappings, or official detection logic were supplied. The most defensible interpretation is a correlation analytic centered on suspicious behavior immediately following external browser or WebView navigation.

Coverage depends heavily on local Android telemetry, MDM/endpoint capabilities, network visibility, and whether embedded WebView events are observable. The source does not support claims about active exploitation, attribution, prevalence, impact, or guaranteed detection.

Official MITRE ATT&CK definition

Analytic 1669

A defender correlates navigation to external web content in a browser or embedded WebView with immediate script-heavy or exploit-preparation network activity, followed by abnormal browser/WebView process behavior, suspicious file or download artifacts, or rapid post-visit capability shifts such as new package install attempts, overlay prompts, permission requests, or outbound command traffic inconsistent with normal browsing.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
21861864e3fb3631...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 21861864e3fb…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1669
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use