AN1749: Analytic 1749

AN1749 is a mobile ATT&CK detection analytic for Android where MITRE states that no standard detection method currently exists. The practical significance is not a ready-to-deploy detection, but a coverage gap: leaders and defenders should treat this as an area where local mobile telemetry, policy controls, and incident response procedures must be validated rather than assumed.

Executive priority

Because the official analytic provides no standard detection method, this should be handled as a risk and readiness question rather than a tooling checkbox. Security leaders should ask whether Android devices are in scope for monitoring, whether mobile incident response evidence can be collected, and whether compliance or resilience claims depend on detections that do not currently exist in a standardized ATT&CK form.

Technical view

For SOC, detection engineering, and IR teams, the key action is gap validation. Confirm what Android telemetry is available, what mobile device management or endpoint controls can observe, and whether any internal detections are mapped to the related detection strategy URL. Since no tactics, relationships, or detection logic are supplied, teams should avoid assuming ATT&CK-aligned coverage and should document local assumptions, data availability, and test evidence.

Likely telemetry

Android device inventory and enrollment status
Mobile device management or enterprise mobility management events
Android security, application, and device configuration records where available
Mobile endpoint or device health telemetry if deployed
Incident response collection artifacts from Android devices

Detection direction

Treat AN1749 as a detection gap marker, not as an implemented analytic.
Validate whether Android telemetry is collected consistently across managed and unmanaged device populations.
Document any local detection logic separately, including data sources, alert criteria, false-positive handling, and testing evidence.
Identify blind spots caused by limited mobile logging, privacy constraints, bring-your-own-device scope, or lack of mobile endpoint coverage.
Do not claim ATT&CK detection coverage from this object alone because the official detection field is not provided.

Mitigation priorities

Prioritize Android asset visibility and ownership clarity before detection claims.
Confirm mobile management, configuration, and response capabilities for in-scope Android devices.
Define escalation and evidence-collection procedures for Android-related incidents.
Use this analytic as an input to detection engineering backlog and compliance evidence gap tracking.
Review coverage after MITRE or internal detection content becomes available.

Analyst notes and limits

The supplied ATT&CK object is a mobile detection analytic for Android with the official description: no standard detection method currently exists for this technique. No tactics, relationships, aliases, labels, or official detection logic were supplied. The value of this object is therefore in identifying a defensive validation gap, not in prescribing a specific detection.

This take is limited to the supplied STIX fields and external reference. It cannot identify the underlying technique details, adversary behavior, exploitation status, impact, or detection method because those fields and relationships were not provided. Local environment evidence is required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Analytic 1749

No standard detection method currently exists for this technique.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 99e8f34f35751377...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`99e8f34f3575…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1749
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams