Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1776: Analytic 1776

Defender correlates an application gaining/retaining fine or background location capability with subsequent location sensor sessions that occur while the app is backgrounded or the device is locked, followed by repeated location reads at a periodic cadence and near-term outbound connections to domains not typical for fleet navigation/MDM services, indicating covert location tracking.

MobileAN1776AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because covert mobile location tracking can turn an Android device into a source of sensitive movement data without obvious user awareness. For leaders, the decision point is whether the organization can prove which apps have fine or background location capability, whether those apps use location while backgrounded or the device is locked, and whether that activity is followed by unusual outbound connections.

Executive priority

Prioritize this where Android devices are used for workforce mobility, executive travel, regulated operations, or field activity. The business value is less about a single alert and more about assurance: mobile management, privacy, incident response, and compliance teams need evidence that location permissions, background sensor use, and network behavior are visible enough to distinguish approved fleet navigation or MDM activity from suspicious tracking patterns.

Technical view

Validate whether Android telemetry can correlate three elements from the ATT&CK analytic description: an app gaining or retaining fine/background location capability, location sensor sessions while the app is backgrounded or the device is locked, and repeated location reads with near-term outbound connections to domains not typical for fleet navigation or MDM services. Because ATT&CK provides no separate detection text and no relationship context, SOC teams should treat this as a detection design pattern requiring local baselining of approved mobile apps and expected service domains.

Likely telemetry

  • Android app permission state and permission change history for fine and background location access
  • Mobile device state indicating app foreground/background status and device locked state
  • Location sensor/session access records or equivalent mobile security/MDM telemetry
  • Network connection metadata from Android devices, including destination domains and timing
  • Approved application inventory and expected domains for fleet navigation, MDM, or other sanctioned location services

Detection direction

  • Correlate permission capability with behavior; permission alone is not enough to indicate covert tracking.
  • Look for periodic or repeated location reads occurring while the app is backgrounded or the device is locked.
  • Compare outbound domains after location access against an organization-specific allowlist or baseline for approved navigation, MDM, and business mobile apps.
  • Tune for false positives from legitimate fleet tracking, navigation, safety, logistics, or device management applications.
  • Assess blind spots where mobile telemetry does not expose sensor access, app state, lock state, or DNS/domain destinations.

Mitigation priorities

  • Maintain an approved inventory of Android applications allowed to use fine or background location.
  • Review and restrict background location permissions for apps without a documented business need.
  • Ensure mobile management or mobile security tooling can collect permission, app state, sensor-use, and network metadata needed for this correlation.
  • Document expected domains for sanctioned navigation, fleet, and MDM services to support detection tuning and audit evidence.
  • Include suspicious mobile location tracking scenarios in incident response triage procedures, especially for sensitive users or regulated operations.
Analyst notes and limits

This is an ATT&CK mobile detection analytic for Android, external ID AN1776. It describes a correlation pattern rather than a complete rule. No tactics, relationships, aliases, or official detection logic were supplied, so local telemetry availability and baselining determine practical coverage.

The supplied ATT&CK fields do not support claims about active exploitation, adversary attribution, prevalence, impact, or guaranteed detection. The analytic is limited to Android as supplied and requires organization-specific knowledge of approved apps and normal service domains.

Official MITRE ATT&CK definition

Analytic 1776

Defender correlates an application gaining/retaining fine or background location capability with subsequent location sensor sessions that occur while the app is backgrounded or the device is locked, followed by repeated location reads at a periodic cadence and near-term outbound connections to domains not typical for fleet navigation/MDM services, indicating covert location tracking.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
6980439c84db0f0e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 6980439c84db…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1776
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use