Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1718: Analytic 1718

Correlates (1) application interaction with elevation control mechanisms (e.g., Accessibility Service, Device Admin, overlay permissions, package installer flows), (2) rapid transition to elevated capability state without expected user interaction patterns, and (3) immediate privileged actions such as sensor access, UI manipulation, or background persistence. The defender observes a causal chain where an application gains elevated privileges through abuse of system-controlled consent flows and subsequently performs actions inconsistent with normal user-driven authorization.

MobileAN1718AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This Android detection analytic matters because it focuses on a high-risk mobile pattern: an app moving from a consent or elevation prompt into powerful behavior too quickly or without normal user interaction. For business leaders, the issue is not just a suspicious permission request; it is whether mobile devices can be trusted when applications abuse system-controlled approval flows to gain capabilities such as sensor access, UI manipulation, or background persistence.

Executive priority

Prioritize this as a mobile security, identity trust, and incident readiness concern where Android devices support workforce access, sensitive communications, regulated workflows, or operational processes. Leaders should ask whether mobile telemetry can show the full chain from elevation request to elevated state to privileged action, because isolated permission events may not provide enough evidence for incident decisions, audit narratives, or risk acceptance.

Technical view

For SOC, detection engineering, and IR teams, the useful validation point is correlation across multiple Android behaviors: interaction with elevation mechanisms such as Accessibility Service, Device Admin, overlay permissions, or package installer flows; a rapid transition into an elevated capability state without expected user-driven patterns; and immediate follow-on actions such as sensor access, UI manipulation, or persistence in the background. Because the ATT&CK object provides no standalone detection logic, teams should treat this as an analytic design pattern to test against available Android, MDM/UEM, EDR, and application telemetry rather than as a ready-to-deploy rule.

Likely telemetry

  • Android application permission and consent-flow events
  • Accessibility Service enablement or interaction records
  • Device Admin enrollment or activation events
  • Overlay permission changes
  • Package installer flow activity

Detection direction

  • Validate whether telemetry can reconstruct the causal chain, not just individual permission changes.
  • Tune for rapid sequencing between elevation interaction, elevated state, and privileged action, while accounting for legitimate enterprise apps that use accessibility, device administration, overlays, or installers.
  • Review false positives from MDM agents, accessibility tools, password managers, remote support tools, and approved enterprise applications.
  • Identify blind spots where Android privacy limits, incomplete mobile logging, or unmanaged devices prevent observing user interaction patterns or sensor/UI activity.
  • Use allowlists or baselines for sanctioned apps carefully; the analytic depends on behavior that is inconsistent with normal user-driven authorization, which requires local environment context.

Mitigation priorities

  • Establish inventory and approval governance for Android apps that can request Accessibility Service, Device Admin, overlay, package installation, sensor, or background capabilities.
  • Use MDM/UEM policy controls where available to restrict high-risk permission paths and unmanaged application installation flows.
  • Require mobile incident response playbooks to preserve app, permission, device management, and timeline evidence around suspected elevation abuse.
  • Review compliance evidence to ensure mobile privilege management and application control policies are documented, enforceable, and monitored.
  • Prioritize managed detection coverage for devices and user groups where Android access supports sensitive business processes or regulated data.
Analyst notes and limits

This object is a detection analytic in the mobile ATT&CK domain for Android. It describes a correlation strategy for identifying abuse of system-controlled consent flows leading to elevated capabilities and immediate privileged behavior. No tactics or relationships were supplied, so the take is limited to the analytic description and platform field.

Official detection content was not provided, and no relationship context was supplied. This means there is no ATT&CK-provided rule logic, data-source mapping, related technique, malware, campaign, or mitigation relationship to cite. Local telemetry availability and enterprise Android management posture will determine whether this analytic can be implemented effectively.

Official MITRE ATT&CK definition

Analytic 1718

Correlates (1) application interaction with elevation control mechanisms (e.g., Accessibility Service, Device Admin, overlay permissions, package installer flows), (2) rapid transition to elevated capability state without expected user interaction patterns, and (3) immediate privileged actions such as sensor access, UI manipulation, or background persistence. The defender observes a causal chain where an application gains elevated privileges through abuse of system-controlled consent flows and subsequently performs actions inconsistent with normal user-driven authorization.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
0e70cff9261a8e72...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 0e70cff9261a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1718
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use