Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1842: Analytic 1842

Correlates (1) suppression or disablement of launcher-visible application components or effective reduction of user-facing launcher presence, (2) persistence of installed application state after icon suppression, and (3) continued runtime activity such as background execution, framework use, sensor access, or network communication after the icon becomes unavailable or is replaced by reduced-discoverability launcher behavior. The defender observes a causal chain where an app removes or reduces its launcher visibility while remaining operational and continuing meaningful activity.

MobileAN1842AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on Android apps that become less visible to the user while continuing to run. For leaders, the practical issue is not the icon change itself; it is whether mobile security, SOC, and incident response processes can prove that an installed app remains active after reducing its launcher presence. That visibility is important for mobile workforce trust, investigation quality, and evidence that managed devices are being monitored beyond what users can see on the screen.

Executive priority

Prioritize this as a mobile security visibility and response-readiness question. Executives should ask whether Android fleet monitoring can identify apps that hide or reduce launcher discoverability while continuing background execution, sensor access, framework use, or network communication. This supports decisions about mobile device management coverage, bring-your-own-device risk boundaries, compliance evidence for endpoint oversight, and incident triage when a user reports that an app has “disappeared” but device activity continues.

Technical view

For Android environments, validate whether telemetry can correlate three conditions over time: launcher-visible components are suppressed or disabled, the installed application state persists, and the same app continues meaningful runtime activity. Because the supplied ATT&CK object provides no official detection logic and no relationship context, detection engineering should treat AN1842 as a behavioral correlation requirement rather than a finished rule. SOC and IR teams should test whether they can pivot from launcher visibility changes to package installation state, process/background activity, sensor or framework usage, and network activity for the same application identity.

Likely telemetry

  • Android application/package inventory and install state
  • Launcher component visibility or component enablement/disablement state
  • Mobile device management or enterprise mobility management application inventory records
  • Background execution or runtime activity indicators
  • Application network communication metadata

Detection direction

  • Validate correlation by application identity across launcher visibility, install state, and runtime activity rather than alerting only on icon disappearance.
  • Tune for expected administrative or user-driven launcher changes to reduce false positives.
  • Confirm whether mobile telemetry records component disablement or reduced launcher discoverability; many environments may only collect coarse app inventory.
  • Look for continued activity after the icon becomes unavailable or less discoverable, such as background execution, network communication, sensor access, or framework use.
  • Document gaps where Android privacy boundaries, unmanaged devices, or limited MDM/EMM logging prevent causal-chain reconstruction.

Mitigation priorities

  • Establish baseline mobile inventory and launcher-visible application state for managed Android devices.
  • Ensure mobile management controls can retain visibility into installed apps even when user-facing launcher presence changes.
  • Define IR playbooks for investigating apps that remain installed and active after apparent icon removal or reduction.
  • Apply least-privilege mobile policy for sensitive permissions such as sensors and background activity where enterprise controls allow.
  • Use compliance and audit evidence to show that mobile application state and activity monitoring does not depend solely on user-visible icons.
Analyst notes and limits

AN1842 is a detection analytic in the mobile ATT&CK domain for Android. Its value is in the causal chain: reduced launcher visibility plus persistent installation plus continued activity. There are no supplied tactics, related techniques, groups, malware, mitigations, or official detection text, so this take intentionally focuses on validation questions and telemetry requirements rather than asserting a specific rule or threat scenario.

The supplied object does not include official detection logic, relationships, tactics, or examples. Local Android management architecture, device ownership model, privacy constraints, and available MDM/EMM/endpoint telemetry will determine whether this analytic is feasible and how noisy it may be.

Official MITRE ATT&CK definition

Analytic 1842

Correlates (1) suppression or disablement of launcher-visible application components or effective reduction of user-facing launcher presence, (2) persistence of installed application state after icon suppression, and (3) continued runtime activity such as background execution, framework use, sensor access, or network communication after the icon becomes unavailable or is replaced by reduced-discoverability launcher behavior. The defender observes a causal chain where an app removes or reduces its launcher visibility while remaining operational and continuing meaningful activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
86c84f94702b1bd3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 86c84f94702b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1842
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use