Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1695: Analytic 1695

On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.

MobileAN1695AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about maintaining visibility into Android applications that hold Device Administrator access. For leaders, the practical issue is not just whether a mobile security tool exists, but whether the organization can identify apps with elevated device-control permissions and support timely user or administrator review when those permissions are inappropriate.

Executive priority

Prioritize this where Android devices are part of business operations, regulated access, field work, or executive mobility. Device Administrator access can represent a meaningful governance and resilience concern because it changes what an application can control on a device. Security leaders should ask whether mobile device oversight, application vetting, and user support processes can prove which apps have this access and whether revocation is feasible when risk is identified.

Technical view

The supplied ATT&CK object applies to Android and describes two validation paths: user review of Device Administrator access in device settings, and application vetting services that detect or scrutinize applications using that access. SOC, mobile security, and IR teams should confirm whether they can inventory Android apps requesting or holding Device Administrator privileges, review those apps during triage, and document when permissions are revoked or accepted as business-approved. ATT&CK does not provide a detection logic, tactic mapping, or relationship context for this analytic, so local telemetry and policy definitions are required.

Likely telemetry

  • Android device settings or management records showing applications with Device Administrator access
  • Mobile device management or enterprise mobility inventory for Android applications and permissions
  • Application vetting or mobile application risk assessment findings
  • User or administrator records of permission review and revocation decisions
  • Incident response notes documenting whether Device Administrator access was present during mobile triage

Detection direction

  • Validate that Android devices under management can be queried or reviewed for applications with Device Administrator access.
  • Tune review workflows around authorization context: some enterprise apps may legitimately require elevated mobile permissions, so approval records reduce false positives.
  • Confirm that application vetting flags apps that utilize Device Administrator access for closer scrutiny rather than treating the permission as automatically malicious.
  • Identify blind spots for unmanaged Android devices, personally owned devices, devices outside MDM scope, or environments where users cannot easily report or revoke suspicious permissions.
  • Because ATT&CK provides no official detection logic, measure coverage through inventory completeness and review outcomes rather than assumed alert fidelity.

Mitigation priorities

  • Maintain an approved-use policy for Android applications that require Device Administrator access.
  • Use application vetting to identify and scrutinize apps requesting or using Device Administrator privileges before broad deployment where possible.
  • Ensure users or support teams know how to review and revoke Device Administrator access when appropriate.
  • Keep mobile asset and app inventories current enough to support incident response and compliance evidence.
  • Document exceptions for business-required apps so SOC and audit teams can distinguish authorized elevated access from items requiring investigation.
Analyst notes and limits

This is a mobile ATT&CK detection analytic for Android. Its value is mainly governance, validation, and triage support around elevated mobile application permissions. The most important local question is whether the organization can reliably see which Android apps hold Device Administrator access and whether that access is approved.

The supplied ATT&CK fields include no tactic, no official detection logic, and no relationship context. This take therefore does not infer adversary behavior, specific procedures, active exploitation, or guaranteed detection coverage. Environment-specific MDM, application vetting, and device ownership models determine practical applicability.

Official MITRE ATT&CK definition

Analytic 1695

On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
69cce437cdcbc170...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 69cce437cdcb…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1695
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use