Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1713: Analytic 1713

Defender correlates an Android-specific causal chain where device connectivity degrades or oscillates across one or more radios, applications lose or repeatedly reattempt network access, and the radio or network failure pattern is inconsistent with ordinary mobility, coverage transition, or user-initiated airplane mode behavior. The defender correlates radio state, connectivity framework behavior, application state, network session failures, and location/network-provider degradation to distinguish network denial effects from routine weak-signal conditions.

MobileAN1713AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about recognizing when an Android device appears to be experiencing deliberate or abnormal network denial rather than ordinary weak signal, mobility, or user-enabled airplane mode. Its practical value is continuity-focused: if mobile devices support field operations, executive communications, authentication, safety workflows, or managed apps, defenders need evidence that distinguishes routine connectivity problems from suspicious radio/network disruption.

Executive priority

Security leaders should treat this as a mobile resilience and incident-triage use case. The priority is not just whether a device lost connectivity, but whether the organization can prove why: normal coverage transition, user action, carrier/provider degradation, application failure, or a pattern consistent with network denial effects. This affects incident escalation, mobile fleet support, audit evidence for monitoring, and business-continuity planning for Android-dependent operations.

Technical view

For Android platforms, validate whether mobile telemetry can correlate radio state changes, Android connectivity framework behavior, application network state, failed or repeated network session attempts, and location or network-provider degradation. Because ATT&CK supplies no detection logic and no relationship context for this analytic, SOC and IR teams should build this as a correlation and triage pattern rather than a single alert. The core validation question is whether connectivity degradation or oscillation across one or more radios is inconsistent with expected mobility, coverage transitions, or user-initiated airplane mode behavior.

Likely telemetry

  • Android radio state and connectivity state changes
  • Connectivity framework events showing network availability, loss, or switching
  • Application logs showing network access loss, retries, or repeated session failures
  • Network session failure evidence from managed apps, VPN, or mobile security tooling where available
  • Location, carrier, Wi-Fi, cellular, or network-provider context used to distinguish coverage changes from abnormal degradation

Detection direction

  • Validate correlation across device connectivity, app behavior, network session failures, and location/provider context instead of alerting on a single disconnection event.
  • Tune out ordinary mobility, weak-signal areas, roaming, carrier outages, Wi-Fi-to-cellular transitions, and explicit user airplane-mode actions.
  • Look for repeated or oscillating connectivity degradation across one or more radios that does not match the device location or expected provider conditions.
  • Confirm whether managed Android telemetry is retained long enough for incident reconstruction; this analytic depends on causal sequencing, not just point-in-time status.
  • Use local baselines for field locations, travel patterns, and normal mobile app retry behavior to reduce false positives.

Mitigation priorities

  • Prioritize Android fleet visibility through mobile device management, mobile security telemetry, and managed application logging where appropriate.
  • Ensure incident response playbooks include mobile connectivity triage steps that separate carrier/coverage issues from suspicious denial patterns.
  • Maintain business-continuity options for Android-dependent workflows, especially authentication, communications, and field operations.
  • Document what telemetry is and is not collected for Android radio state, connectivity events, app failures, and user network-setting changes to support compliance and audit evidence.
  • Where operations depend on mobile connectivity, review resilience assumptions around alternate networks, offline workflows, and escalation paths.
Analyst notes and limits

This ATT&CK object is a detection analytic, not a technique, and it is scoped to Android. No tactics, aliases, labels, detection pseudocode, or relationships were supplied. The strongest defensive use is as a validation checklist for whether the organization can correlate mobile network degradation with application impact and environmental context.

The official detection field is not provided, and no relationship context is supplied. This take therefore cannot assert a specific ATT&CK technique relationship, threat actor usage, active exploitation, impact level, or guaranteed detection method. Local Android telemetry availability, mobile management coverage, carrier context, and application logging will determine practical usefulness.

Official MITRE ATT&CK definition

Analytic 1713

Defender correlates an Android-specific causal chain where device connectivity degrades or oscillates across one or more radios, applications lose or repeatedly reattempt network access, and the radio or network failure pattern is inconsistent with ordinary mobility, coverage transition, or user-initiated airplane mode behavior. The defender correlates radio state, connectivity framework behavior, application state, network session failures, and location/network-provider degradation to distinguish network denial effects from routine weak-signal conditions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
9127865f586884de...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 9127865f5868…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1713
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use