AN1786: Analytic 1786
The user can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.
Analyst context for executives and security teams
This analytic is about using Android application permission visibility as a defensive signal. For leaders, the value is governance: knowing whether risky mobile app permissions are visible to users, administrators, or vetting workflows before those apps become an identity, privacy, or operational risk. The specific example called out is scrutiny of dangerous permissions such as RECEIVE_SMS.
Executive priority
Prioritize this where Android devices or managed mobile applications are in scope for business operations, compliance evidence, or incident response. The key decision is whether the organization can prove that mobile app permissions are reviewed, especially permissions that could expose messages, authentication flows, or sensitive user data. This is less a standalone detection and more a control-validation and app-risk triage activity.
Technical view
ATT&CK provides this as a mobile detection analytic for Android, but no formal detection logic is supplied. SOC, mobile security, and IR teams should validate whether device settings, mobile management workflows, or application vetting services expose the permissions granted or requested by installed applications. Reviews should focus on permissions considered dangerous in Android, with RECEIVE_SMS explicitly identified by the source as warranting additional scrutiny.
Likely telemetry
- Android application permission lists visible in device settings
- Application vetting results showing requested permissions
- Administrative review records for mobile applications
- Mobile device or application inventory for Android devices
- Change evidence showing when app permissions are granted, reviewed, or approved, if available
Detection direction
- Confirm that Android app permissions are actually collected or reviewable; do not assume visibility from device settings alone equals enterprise telemetry.
- Tune review workflows to highlight dangerous permissions, including RECEIVE_SMS as specifically noted by ATT&CK.
- Correlate permission findings with the approved application inventory to distinguish sanctioned apps from unknown or unreviewed apps.
- Document false-positive handling for applications that legitimately require sensitive permissions, since permission presence alone does not prove malicious behavior.
- Because no ATT&CK detection logic or relationships are supplied, treat this as a validation analytic rather than a complete behavioral detection.
Mitigation priorities
- Establish or verify an application vetting process for Android apps before approval or deployment.
- Require administrative review of requested permissions, with enhanced scrutiny for dangerous permissions such as RECEIVE_SMS.
- Maintain evidence of permission review decisions for audit, risk acceptance, and incident response use.
- Ensure users or administrators know where granted permissions can be viewed in Android device settings.
- Use local business context to decide which permissions are unacceptable, require exception approval, or require compensating controls.
Analyst notes and limits
The supplied object is a detection analytic in the mobile ATT&CK domain for Android. Its practical value is strongest for mobile app governance, permission review, and readiness evidence rather than automated alerting. No tactics, detection procedure, relationships, aliases, or labels were supplied.
This take is limited to the official fields provided. MITRE did not provide detection logic, related techniques, threat groups, software, campaigns, or observed exploitation context for this object. Local Android management tooling, app inventory, and permission collection capabilities are required to determine real coverage.
Analytic 1786
The user can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3b7713a935c2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1786Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.