Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1782: Analytic 1782

OLD: Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application’s manifest, or `NSContactsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it. On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary.

NEW: A defender observes an Android application requesting for android.permission.READ_CONTACTS, which may also be listed in the application's manifest file.

MobileAN1782AnalyticObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about noticing when an Android app requests access to a user’s contacts through android.permission.READ_CONTACTS. For leaders, the significance is privacy, identity, and compliance risk: contact lists can expose employees, customers, partners, and social graphs, so unnecessary access should trigger review even when the app appears otherwise benign.

Executive priority

Prioritize this as a mobile governance and audit-readiness control rather than a standalone incident signal. Security leaders should ask whether the organization inventories Android app permissions, reviews business justification for contact access, and can prove that risky permissions are identified and remediated through mobile policy, app vetting, or user/device settings.

Technical view

SOC, mobile security, and IR teams should validate whether they can observe Android applications requesting android.permission.READ_CONTACTS, including from the application manifest where available. Because no ATT&CK tactic or detection logic is supplied, this should be treated as a permission-risk analytic that supports triage and app review, not as conclusive evidence of malicious activity.

Likely telemetry

  • Android application manifest permission data
  • Mobile device management or enterprise mobility inventory showing installed apps and granted/requested permissions
  • Application vetting or mobile app reputation/service outputs
  • Device settings or endpoint/mobile security records showing contact permission state where collected

Detection direction

  • Flag Android apps requesting android.permission.READ_CONTACTS and enrich with app name, publisher, install source, device/user context, and business justification.
  • Tune severity based on whether contact access is expected for the app’s function; many legitimate communication or productivity apps may request it.
  • Validate coverage for both requested permissions in the manifest and currently granted permissions on devices, since these may differ.
  • Use this analytic as a review trigger, not a definitive malicious-behavior alert, because the official object provides no detection procedure, tactic mapping, or relationship context.

Mitigation priorities

  • Establish or confirm a mobile app vetting process that reviews Android permissions before approval or deployment.
  • Require documented business justification for apps that request contact access.
  • Use device or mobile management policy to restrict, revoke, or monitor contact permissions where appropriate.
  • Educate users and administrators to review application permissions in device settings and remove unnecessary contact access.
  • Maintain audit evidence showing which apps request or have contact access and how exceptions are approved.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Android permission observation. Its strongest defensive value is in mobile app governance, privacy review, and triage enrichment. The older description references iOS concepts, but the supplied platform for this object is Android, so this summary limits operational guidance to Android.

No official detection logic, tactics, relationships, aliases, labels, or procedure examples were supplied. Local mobile management, app inventory, and permission telemetry are required to determine whether an observed READ_CONTACTS request is expected, excessive, or policy-violating.

Official MITRE ATT&CK definition

Analytic 1782

OLD: Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application’s manifest, or `NSContactsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it. On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary.

NEW: A defender observes an Android application requesting for android.permission.READ_CONTACTS, which may also be listed in the application's manifest file.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
9e6a929b26c8f754...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 9e6a929b26c8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1782
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use