AN1799: Analytic 1799
If the user sees a notification with text they do not recognize, they should review their list of installed applications.
Analyst context for executives and security teams
This analytic is a user-facing mobile security cue for iOS: an unfamiliar notification should trigger a review of installed applications. Its value is not in automated detection by itself, but in turning an end-user observation into a triage path that can help identify unwanted, unmanaged, or suspicious apps before they create broader privacy, identity, or operational risk.
Executive priority
For leaders, the priority is ensuring mobile security processes can absorb user-reported anomalies and convert them into timely investigation. This matters for incident readiness, mobile device governance, and compliance evidence because the organization may need to show how suspicious mobile app behavior is reported, reviewed, and resolved. Budget and control decisions should focus on whether iOS app inventory, user reporting channels, and help desk/SOC escalation paths are mature enough to act on this kind of signal.
Technical view
The supplied ATT&CK object is an iOS detection analytic with no tactic, relationship, or formal detection logic provided. SOC, help desk, and IR teams should treat it as a workflow validation point: when a user reports an unfamiliar notification, analysts should be able to identify the device, review installed applications, correlate the notification with known or recently installed apps where available, and determine whether the app is expected, managed, or requires removal/escalation. Because ATT&CK provides no detection implementation, local mobile device management and endpoint/mobile telemetry determine practical coverage.
Likely telemetry
- User report or help desk ticket describing unfamiliar notification text
- iOS installed application inventory
- Mobile device management enrollment and device ownership status
- App installation history where available
- Managed versus unmanaged app status
Detection direction
- Validate that users have a clear process to report unfamiliar mobile notifications and that reports reach the right triage team.
- Confirm analysts can retrieve an iOS installed-app list for managed devices and associate the device with the reporting user.
- Tune triage to account for benign causes such as legitimate app updates, changed notification wording, or apps installed by the user but forgotten.
- Identify blind spots for unmanaged, bring-your-own, or partially enrolled iOS devices where installed-app visibility may be limited.
- Use this analytic as a prompt for investigation rather than a standalone alert, since no official detection logic is supplied.
Mitigation priorities
- Maintain accurate iOS device and application inventory for managed devices.
- Define and test a user-reporting workflow for suspicious or unfamiliar mobile notifications.
- Establish escalation criteria for unknown, unmanaged, or policy-violating applications discovered during review.
- Use mobile device governance controls to limit or review unauthorized applications where organizational policy allows.
- Document investigation outcomes to support audit, incident response lessons learned, and mobile security program improvement.
Analyst notes and limits
This object is a detection analytic rather than a technique, and the official description is limited to user observation followed by installed-application review. No ATT&CK relationships, tactics, malware, campaigns, or procedures were supplied, so the take is intentionally framed around defensive workflow, telemetry validation, and mobile governance rather than threat attribution or exploitation.
The official detection field is not provided, and the object only lists iOS as the platform. There is no supplied relationship context or tactic mapping. Practical detection and response capability depends on local device management enrollment, privacy constraints, logging availability, and whether users report the notification with enough detail to support triage.
Analytic 1799
If the user sees a notification with text they do not recognize, they should review their list of installed applications.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0b28c93e0eb9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1799Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.