AN1723: Analytic 1723

A lock-state transition telemetry, special access or privileged interaction capability, security-sensitive framework use, and immediate downstream activity while the user-interaction context is weak or inconsistent. This yields stronger coverage on Android than iOS.

MobileAN1723AnalyticObject v1.1 Modified May 12, 2026, 16:30 UTC (UTC+00:00)

This analytic matters because it focuses on suspicious Android activity that happens when user interaction is weak, inconsistent, or absent, especially around lock-state changes and privileged or security-sensitive mobile capabilities. For leaders, the decision value is whether mobile telemetry can distinguish legitimate user-driven behavior from activity that occurs at moments when the user should not be actively approving or initiating actions.

Executive priority

Prioritize this as a mobile security visibility and incident-readiness question: can the organization prove what happened on Android devices around lock/unlock state, privileged interactions, and sensitive framework use? This is relevant to executive risk decisions where mobile devices support regulated work, privileged access, business communications, or operational workflows. Because no ATT&CK tactic or relationship context is supplied, treat it as a coverage validation item rather than evidence of a specific campaign or impact scenario.

Technical view

SOC and detection teams should validate whether Android telemetry can correlate lock-state transitions, special access or privileged interaction capability, security-sensitive framework use, and immediate downstream activity. The key analytic concept is timing and context: activity occurring soon after a lock-state transition or during weak/inconsistent user-interaction context should be reviewable with app/package identity, event timing, and subsequent actions. ATT&CK does not provide a detection implementation, so local engineering must define acceptable time windows, baselines, and false-positive handling.

Likely telemetry

Android lock-state transition events where available
User-interaction or foreground/background context signals
Special access or privileged interaction capability events
Security-sensitive Android framework or API usage telemetry
Immediate downstream activity following the sensitive interaction

Detection direction

Validate that Android telemetry sources actually capture lock-state and user-interaction context, not only application activity.
Correlate sensitive framework use and privileged interactions with nearby lock-state transitions and downstream behavior.
Tune for legitimate accessibility, device management, security, or automation apps that may perform privileged actions with limited visible interaction.
Review gaps where telemetry lacks reliable user-presence, foreground app, or lock-state context; these gaps can make the analytic difficult to operationalize.
Because no ATT&CK detection text or relationships are supplied, avoid mapping this analytic to a specific technique, actor, or incident pattern without additional local evidence.

Mitigation priorities

Establish mobile telemetry collection requirements for Android devices that handle sensitive business access.
Inventory applications with special access, privileged interaction capability, or security-sensitive framework usage.
Restrict and review privileged mobile permissions according to business need and device management policy.
Create incident-response playbooks for suspicious mobile activity that occurs when user-interaction context is weak or inconsistent.
Use compliance and audit processes to confirm mobile logging, permission governance, and review workflows are operating as intended.

Analyst notes and limits

This object is a mobile ATT&CK detection analytic for Android, external ID AN1723, under DET0645. The supplied description indicates the analytic combines lock-state transition telemetry, privileged or special access interactions, security-sensitive framework use, and immediate downstream activity. No tactics, relationships, aliases, labels, or official detection logic are supplied.

The source does not provide detection logic, data source names, thresholds, tactics, mapped techniques, or relationship context. Any production rule, severity model, or incident conclusion requires local Android telemetry validation and environment-specific baselining. The object states stronger coverage on Android than iOS, but Android is the only supplied platform.

Official MITRE ATT&CK definition

Analytic 1723

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:30 UTC (UTC+00:00)
Raw hash: 27803cd04dacc35e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	May 12, 2026, 16:30 UTC (UTC+00:00)	Current bundle	`27803cd04dac…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1723
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use