Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1716: Analytic 1716

An application performs explicit cryptographic operations (e.g., symmetric/asymmetric encryption routines) on locally collected or generated data, followed by structured outbound network communication that does not align with expected application behavior, particularly when occurring in the background or without user interaction. Detection correlates crypto API usage + data staging + application state + network transmission patterns.

MobileAN1716AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This Android detection analytic matters because it focuses on a high-risk pattern: an app encrypting locally collected or generated data and then sending structured outbound traffic in a way that does not match expected app behavior, especially in the background or without user interaction. For leaders, the value is not just “detect crypto use,” since many legitimate apps encrypt data. The decision point is whether mobile monitoring can correlate encryption activity, local data staging, app state, and network behavior well enough to distinguish expected privacy/security functions from suspicious data preparation and transmission.

Executive priority

Prioritize this as a mobile security and incident readiness validation item where Android devices, managed mobile apps, or sensitive mobile workflows are in scope. Executives should ask whether the organization has enough mobile telemetry and acceptable-use baselines to investigate background data encryption and outbound transmission. This supports business continuity and compliance evidence by showing whether sensitive mobile data movement can be reviewed, explained, and escalated during an incident without relying on a single network or endpoint signal.

Technical view

For SOC, detection engineering, and IR teams, the core validation is correlation across Android application behavior: explicit cryptographic API usage, local data collection or staging, application foreground/background state, user interaction context, and outbound network transmission patterns. Because the ATT&CK object provides no standalone detection logic and no tactics, teams should treat AN1716 as an analytic design pattern rather than a ready-to-deploy rule. Validate what “expected application behavior” means per app, especially for apps that legitimately encrypt payloads, sync in the background, or use structured network protocols.

Likely telemetry

  • Android application runtime or security telemetry showing cryptographic API usage
  • Mobile app behavior telemetry indicating local data collection, generated data, or staging activity
  • Application state context such as foreground/background execution and user interaction timing
  • Outbound network connection metadata from Android devices or managed mobile environments
  • Network payload or protocol structure metadata where collection is lawful, available, and privacy-approved

Detection direction

  • Build correlation rather than single-signal alerts: crypto API use alone is too common to be decisive.
  • Baseline expected behavior for managed or business-critical Android applications, including normal background sync and encryption patterns.
  • Tune for combinations of local data staging, background execution, lack of user interaction, and structured outbound communication inconsistent with the app’s known purpose.
  • Include false-positive review for legitimate encrypted messaging, backup, authentication, payment, enterprise sync, and security applications.
  • Confirm whether mobile telemetry can observe app state and API-level behavior; network-only monitoring may miss the local collection and encryption context.

Mitigation priorities

  • Establish mobile application inventory and expected network behavior baselines for Android apps handling sensitive data.
  • Require review and approval of business apps that perform background data collection, encryption, and outbound transmission.
  • Use mobile device management or equivalent governance to restrict unapproved applications where organizational policy allows.
  • Ensure incident response playbooks include mobile evidence collection for app identity, runtime behavior, local data handling indicators, and network activity.
  • Coordinate privacy, legal, and compliance requirements before collecting detailed mobile app or network telemetry.
Analyst notes and limits

AN1716 is best read as a correlation analytic for Android mobile environments. Its practical strength is the relationship between cryptographic operations, data staging, application state, and outbound network behavior. The main analytic challenge is separating suspicious encrypted data movement from normal app security, synchronization, and privacy-preserving behavior.

The supplied ATT&CK object has no official detection text, no tactics, and no relationship context. This take does not infer adversary use, impact, attribution, or guaranteed detection coverage. Local app baselines, mobile telemetry availability, privacy constraints, and enterprise policy determine whether this analytic can be implemented effectively.

Official MITRE ATT&CK definition

Analytic 1716

An application performs explicit cryptographic operations (e.g., symmetric/asymmetric encryption routines) on locally collected or generated data, followed by structured outbound network communication that does not align with expected application behavior, particularly when occurring in the background or without user interaction. Detection correlates crypto API usage + data staging + application state + network transmission patterns.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
4f618de1985757e3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 4f618de19857…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1716
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use