AN1796: Analytic 1796
Application vetting services could look for `android.permission.READ_SMS` in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.
Analyst context for executives and security teams
This analytic is intended to flag mobile applications that request access to SMS messages, specifically by checking for `android.permission.READ_SMS` in an Android app manifest. The business value is in app-risk governance: SMS access can expose sensitive messages, one-time passcodes, and user communications, so apps requesting it deserve extra review before approval or continued use. However, the supplied ATT&CK platform field lists iOS while the official description is Android-specific, so teams should treat this object as requiring source validation before operationalizing it.
Executive priority
Prioritize this as a mobile application vetting and privacy-control check, especially for environments where employee devices may receive authentication codes or sensitive business communications by SMS. Leaders should ask whether mobile app approval processes review dangerous permissions, whether users can revoke unnecessary permissions, and whether audit evidence exists showing risky app permissions are assessed before deployment or allowed use.
Technical view
For SOC, mobile security, and app-vetting teams, the concrete validation point is whether application manifests are inspected for `android.permission.READ_SMS` and whether apps requesting SMS access receive additional scrutiny. The ATT&CK object does not provide a detection implementation, tactics, or relationship context. Also, the object metadata says platform iOS, while the description references Android permissions and Android settings; detection engineering should resolve this mismatch against the official ATT&CK source before mapping it to platform-specific coverage.
Likely telemetry
- Mobile application manifest/package metadata showing requested permissions
- Mobile app vetting or mobile threat defense assessment results
- Device management or endpoint mobility records showing installed applications and granted permissions
- User or device permission-state evidence where available, including whether SMS access has been revoked
Detection direction
- Validate whether app-vetting workflows parse requested permissions and specifically identify `android.permission.READ_SMS`.
- Tune review logic so SMS access is not treated as automatically malicious, but as a high-scrutiny permission that requires business justification.
- Check for blind spots in unmanaged devices, personally owned devices, side-loaded applications, and apps installed outside standard approval workflows.
- Resolve the supplied platform inconsistency before reporting coverage: the metadata lists iOS, but the analytic description is Android-specific.
Mitigation priorities
- Require additional review for mobile applications requesting SMS-read access before approval or deployment.
- Where supported, use device settings or mobile management controls to revoke unnecessary SMS permissions.
- Maintain an approved-app inventory with documented justification for sensitive permissions.
- Use mobile application governance and user guidance to reduce unnecessary exposure of SMS messages, especially where SMS may carry authentication or business-sensitive content.
Analyst notes and limits
This is a detection analytic object, not a technique description. It provides a narrow app-vetting idea centered on SMS-read permission review. The strongest operational use is as a control validation question for mobile app governance rather than a standalone SOC alert.
Official detection text, tactics, labels, aliases, and relationship context were not supplied. The object lists platform iOS, but the official description is Android-specific; conclusions should be limited until that discrepancy is reconciled with the ATT&CK source and local mobile environment evidence.
Analytic 1796
Application vetting services could look for `android.permission.READ_SMS` in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 678595e9f3b1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1796Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.