Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1806: Analytic 1806

Correlates (1) application acquisition or use of elevated control paths capable of altering defensive tooling or protected system state, such as device administration, root-enabled modification, or security-setting manipulation, (2) direct changes to security-tool configuration, service state, package state, or protected enforcement settings such as SELinux-relevant files or security-app components, and (3) immediate degradation, suppression, or disappearance of expected security telemetry while the device and initiating application remain active. The defender observes a causal chain where a security control is modified first, then monitoring or protection weakens, and subsequent activity continues under reduced defensive visibility.

MobileAN1806AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1806 is an Android mobile detection analytic focused on a high-risk defensive blind spot: an app or process gains elevated control, changes security controls or protected settings, and then expected security telemetry weakens or disappears while the device remains active. For leaders, the practical issue is not just malware behavior; it is whether mobile security monitoring can prove when a control was weakened before suspicious follow-on activity occurred.

Executive priority

Prioritize this analytic where Android devices support business operations, privileged access, regulated workflows, or incident response evidence. The decision value is confirming whether the organization can detect tampering with mobile security controls and preserve enough telemetry to make containment, audit, and user-risk decisions when visibility is intentionally degraded.

Technical view

SOC and mobile security teams should validate whether Android telemetry can correlate three events in sequence: elevated control path acquisition or use, changes to security-tool configuration/service/package/protected enforcement state, and near-term degradation or loss of expected security telemetry while the device and initiating application remain active. Because no ATT&CK tactic, relationship context, or official detection logic is supplied, teams should treat AN1806 as a correlation objective rather than a complete rule.

Likely telemetry

  • Android application/package state changes
  • Device administration or elevated control path events
  • Root-enabled modification indicators where available
  • Security setting and security-app configuration changes
  • Security service enable/disable or component state changes

Detection direction

  • Validate causal sequencing: control modification should precede telemetry degradation, not merely occur near it.
  • Baseline expected security telemetry per Android device class so disappearance, suppression, or degradation is measurable.
  • Tune for legitimate administrative actions, MDM changes, app updates, and approved security-tool maintenance to reduce false positives.
  • Alert more strongly when the initiating application remains active and subsequent device activity continues under reduced visibility.
  • Identify blind spots where mobile logs do not capture protected setting changes, security-app component state, root-enabled modifications, or telemetry health signals.

Mitigation priorities

  • Ensure Android device management policies restrict unauthorized device administration, security-setting manipulation, and security-tool tampering where supported.
  • Protect mobile security tooling from disablement or package/component manipulation using available enterprise controls.
  • Monitor telemetry health and heartbeat loss as security-relevant events, not only as operational outages.
  • Define incident response playbooks for Android devices where security telemetry disappears after control changes, including containment and evidence preservation decisions.
  • Use this analytic to support compliance evidence that mobile defensive controls are monitored for tampering, subject to local telemetry availability.
Analyst notes and limits

This object is a detection analytic in the mobile ATT&CK domain for Android. The strongest available signal is relationship-free behavioral sequencing: elevated control or protected-state modification followed by degradation of security telemetry. Local implementation depends heavily on MDM, mobile EDR, Android logging, and security-app telemetry health data.

The supplied ATT&CK fields do not include tactics, an official detection query, related techniques, procedure examples, mitigations, or attribution. This take therefore avoids claims about active exploitation, specific adversaries, guaranteed coverage, or non-Android platforms. Environment-specific logging must be verified before operationalizing the analytic.

Official MITRE ATT&CK definition

Analytic 1806

Correlates (1) application acquisition or use of elevated control paths capable of altering defensive tooling or protected system state, such as device administration, root-enabled modification, or security-setting manipulation, (2) direct changes to security-tool configuration, service state, package state, or protected enforcement settings such as SELinux-relevant files or security-app components, and (3) immediate degradation, suppression, or disappearance of expected security telemetry while the device and initiating application remain active. The defender observes a causal chain where a security control is modified first, then monitoring or protection weakens, and subsequent activity continues under reduced defensive visibility.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
706c425d3b399584...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 706c425d3b39…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1806
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use