Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1769: Analytic 1769

The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes. The user is prompted for approval when an application requests device administrator permissions. Application vetting services may detect API calls for deleting files. Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.

MobileAN1769AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This Android mobile detection analytic is about recognizing signs that an application may have elevated device administrator privileges or may be deleting user data/files. For leaders, the practical issue is not just malware detection; it is whether the organization can see when a mobile app has permissions that could affect data availability, user trust, and incident response decisions.

Executive priority

Prioritize this where Android devices are used for business workflows, regulated data access, or field operations. Executives should ask whether mobile security governance can prove which apps have device administrator permissions, whether risky apps are vetted before use, and whether mobile threat defense tooling can provide usable evidence during an incident involving missing data or suspicious app behavior.

Technical view

The supplied ATT&CK analytic applies to Android. It points defenders toward user-visible signals, device administrator permission prompts, application vetting for file-deletion API usage, and Mobile Threat Defense integrations that can access lower-level OS telemetry such as running processes and parameters. SOC and IR teams should validate whether their mobile telemetry can identify applications requesting or holding administrator access and whether file deletion behavior is observable enough to support triage.

Likely telemetry

  • Android device administrator permission status by application
  • User approval prompts for device administrator permission requests
  • Mobile Threat Defense telemetry from lower-level OS APIs, where available
  • Running process and process-parameter telemetry from managed Android devices, where available
  • Application vetting results for file deletion API calls

Detection direction

  • Confirm whether mobile security tooling can enumerate applications with device administrator access on Android devices.
  • Validate whether MTD integrations can observe command-line or process activity related to file deletion; this may depend on OS/API access and product capability.
  • Review application vetting outputs for apps that call file deletion APIs, especially when combined with device administrator permission requests.
  • Treat user reports of missing data as triage inputs, but avoid relying on them as the primary detection source because they are subjective and may occur after the activity.
  • Tune review workflows for legitimate enterprise management apps that require administrator permissions to reduce false positives while preserving visibility into unexpected apps.

Mitigation priorities

  • Maintain an approved baseline of Android applications permitted to request or hold device administrator permissions.
  • Use application vetting to scrutinize apps requesting administrator permissions or using file deletion APIs before deployment or approval.
  • Ensure MTD or mobile security products are configured to report administrator permission status and relevant app behavior to SOC workflows.
  • Document mobile evidence collection procedures so incident responders know what device, app, permission, and telemetry data can be collected during suspected data deletion events.
Analyst notes and limits

No tactic, technique relationship, or related ATT&CK objects were supplied, so this take is limited to the analytic text and Android platform scope. The analytic is most useful as a validation checklist for mobile visibility: administrator permissions, app vetting, MTD telemetry, and user-observed missing data.

Official detection content was not provided, and no relationships were supplied. Detection feasibility depends on local Android management model, MTD capability, OS/API access, logging retention, and whether the organization controls or monitors the relevant devices.

Official MITRE ATT&CK definition

Analytic 1769

The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes. The user is prompted for approval when an application requests device administrator permissions. Application vetting services may detect API calls for deleting files. Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
52d391b974b625d8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 52d391b974b6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1769
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use