AN1731: Analytic 1731

An application performs repeated symmetric cryptographic operations (e.g., AES/RC4) on collected or staged data using locally accessible or reusable keys, followed by structured outbound communication. Detection correlates symmetric crypto API invocation + key reuse patterns + data staging + background execution context + network transmission, especially when inconsistent with expected application functionality.

MobileAN1731AnalyticObject v1.1 Modified May 12, 2026, 16:30 UTC (UTC+00:00)

This Android detection analytic matters because it looks for a suspicious combination: an app repeatedly encrypting collected or staged data with locally accessible or reusable symmetric keys, then sending structured outbound traffic. For leaders, the value is not the cryptography alone—many legitimate apps encrypt data—but whether encryption, background activity, staging, and network transmission align with the app’s expected business function.

Executive priority

Prioritize this as a mobile security validation point for environments where Android devices handle sensitive business data, regulated information, or operational workflows. Security leaders should ask whether mobile telemetry can show what apps encrypt, stage, and transmit; whether approved app behavior is documented well enough to distinguish normal encryption from suspicious activity; and whether incident responders can quickly assess data exposure when an Android app behaves unexpectedly.

Technical view

SOC and detection teams should validate coverage for Android events that can correlate symmetric cryptographic API use, repeated or reusable key patterns, local data staging, background execution, and outbound network communication. Because no official detection logic is provided and no ATT&CK relationships are supplied, this should be treated as an analytic pattern rather than a ready-to-deploy rule. Tuning should focus on mismatches between observed behavior and the application’s expected functionality, since legitimate apps commonly use AES or similar cryptographic operations.

Likely telemetry

Android application behavior telemetry
Cryptographic API invocation evidence, especially repeated symmetric operations such as AES or RC4 where visible
Indicators of locally accessible or reusable key material patterns where telemetry supports it
Local file or data staging activity by the application
Background execution context for the application

Detection direction

Correlate multiple behaviors rather than alerting on cryptographic API use alone.
Validate whether encryption activity is followed by local staging and outbound communication from the same application context.
Compare behavior against the application’s documented purpose to reduce false positives from legitimate secure messaging, backup, enterprise, or financial apps.
Assess visibility gaps: many mobile environments may not expose crypto API use, key reuse patterns, or detailed app-level network context without specialized instrumentation or mobile security tooling.
Use structured outbound communication as supporting context, not proof of maliciousness, unless local evidence shows the behavior is inconsistent with expected app functionality.

Mitigation priorities

Establish and maintain an approved Android application inventory with expected data handling and network behavior.
Limit or review applications that process sensitive business data without clear business justification.
Improve mobile telemetry collection for app execution context, local storage activity, and network communication where feasible.
Define incident response playbooks for suspicious mobile app data staging and transmission, including device isolation, app review, and data exposure assessment.
Use detection findings to inform mobile security policy, compliance evidence, and risk decisions rather than relying on cryptographic behavior alone.

Analyst notes and limits

This object is a mobile ATT&CK detection analytic for Android. The supplied description supports a correlation-based analytic around symmetric cryptography, key reuse patterns, staging, background execution, and outbound communication. No tactics, relationships, aliases, labels, or official detection implementation were supplied, so the take avoids mapping it to specific techniques, threat actors, campaigns, or impacts.

The source provides a behavioral description but not executable detection logic, data source requirements, thresholds, or relationship context. Local app baselines, mobile telemetry depth, and device management capabilities will determine whether this analytic is practical and how noisy it will be.

Official MITRE ATT&CK definition

Analytic 1731

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:30 UTC (UTC+00:00)
Raw hash: eaf9c0e2057a1805...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	May 12, 2026, 16:30 UTC (UTC+00:00)	Current bundle	`eaf9c0e2057a…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1731
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use