Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1788: Analytic 1788

Defender observes an app (package/UID) issuing high-rate directory or content-index enumerations against external/shared storage or other apps’ Documents/Media providers (logcat:ContentResolver, logcat:StorageAccessFramework), followed within a short window by bulk READ handles or stat/list calls over many distinct paths (logcat:FileIO). Activity occurs without foreground UI or exceeds typical per-app baseline, indicating automated file/dir discovery rather than user-driven browsing. Correlate on package/UID/profile and time proximity.

MobileAN1788AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on Android apps that appear to be rapidly discovering files across shared or external storage and document/media providers, rather than behaving like a user-driven file browser. For leaders, the value is in validating whether mobile security monitoring can distinguish normal app access from automated data discovery that may precede privacy, data-loss, or incident-response concerns.

Executive priority

Prioritize this as a mobile visibility and data-governance question: can the organization prove which Android apps are enumerating shared storage, when they do it, and whether the activity is consistent with user interaction or expected business function? This is relevant to SOC readiness, incident triage, privacy/compliance evidence, and mobile application risk management, especially where Android devices access sensitive business files.

Technical view

For Android, validate whether telemetry can correlate package, UID, profile, and timestamp across ContentResolver, StorageAccessFramework, and FileIO-style evidence. The analytic describes high-rate directory or content-index enumeration followed shortly by bulk read handles or stat/list calls across many distinct paths, especially when there is no foreground UI or the behavior exceeds the app’s baseline. Because no separate official detection logic is supplied, teams should treat this as a behavior pattern to operationalize with local baselines, time-window correlation, and app-specific allowlisting.

Likely telemetry

  • Android logcat events related to ContentResolver activity
  • Android logcat events related to Storage Access Framework activity
  • Android logcat or equivalent FileIO evidence for read handles, stat calls, and list calls
  • Package name, UID, user/profile, and timestamp correlation data
  • Foreground/background app state or UI activity evidence

Detection direction

  • Validate that mobile telemetry is collected at sufficient detail to connect content-provider enumeration with subsequent file access by the same package/UID/profile in a short time window.
  • Baseline expected behavior for legitimate file managers, media apps, backup/sync tools, enterprise document apps, and device-management components to reduce false positives.
  • Tune for high-rate enumeration, many distinct paths, and bulk read/stat/list activity that occurs without foreground UI or materially exceeds normal per-app behavior.
  • Review blind spots where Android logging is unavailable, filtered, privacy-restricted, or not centrally collected from managed devices.
  • Because no ATT&CK tactic or relationship context is supplied, avoid over-classifying alerts; use this analytic as discovery-oriented evidence that requires local context and triage.

Mitigation priorities

  • Confirm Android mobile logging and managed-device telemetry can support package/UID/profile-level investigations.
  • Restrict and review app access to shared, external, document, and media storage based on business need and platform policy capabilities.
  • Establish approved-app baselines for storage enumeration and file-access behavior before relying on high-rate thresholds.
  • Integrate mobile alerts with incident-response workflows so analysts can quickly determine whether the app was foregrounded, user-initiated, or behaving unexpectedly.
  • Use findings to support mobile app risk reviews, data-access governance, and compliance evidence for monitoring of sensitive file access.
Analyst notes and limits

AN1788 is a detection analytic for Android in the mobile ATT&CK domain. The source describes a correlation pattern, not a complete detection rule. The strongest operational value comes from correlating app identity, timing, foreground state, and file/content-provider activity against local baselines.

The supplied object has no official detection text beyond the description, no tactic assignment, and no relationship context. It does not identify adversaries, malware, campaigns, active exploitation, impact, or guaranteed detection coverage. Local Android telemetry quality and enterprise mobile-management capabilities will determine practical usefulness.

Official MITRE ATT&CK definition

Analytic 1788

Defender observes an app (package/UID) issuing high-rate directory or content-index enumerations against external/shared storage or other apps’ Documents/Media providers (logcat:ContentResolver, logcat:StorageAccessFramework), followed within a short window by bulk READ handles or stat/list calls over many distinct paths (logcat:FileIO). Activity occurs without foreground UI or exceeds typical per-app baseline, indicating automated file/dir discovery rather than user-driven browsing. Correlate on package/UID/profile and time proximity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
67765befad8201b3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 67765befad82…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1788
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use