AN1845: Analytic 1845
The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device.
Analyst context for executives and security teams
This analytic points to a user-visible Android signal: the operating system may notify the user when a Signal or WhatsApp account is linked to a new device. For leaders, the value is not a guaranteed detection but a reminder that messaging-account linking events can become an incident decision point, especially where mobile messaging is used for executive, operational, or sensitive communications.
Executive priority
Treat this as a mobile identity and incident-readiness question: can the organization recognize and respond when a business-relevant messaging account is linked to an unexpected device? Priority should focus on user reporting paths, mobile support triage, and evidence capture rather than assuming the SOC already receives this signal. This may support audit and resilience discussions where mobile communications are part of business continuity or sensitive workflows.
Technical view
The supplied ATT&CK object is a mobile detection analytic for Android with no tactic mapping, no detection logic, and no relationship context. SOC and IR teams should validate whether Android notifications related to Signal or WhatsApp new-device linking are visible only to the user or can be captured through approved mobile management, mobile threat defense, helpdesk, or user-reporting channels. Any triage should distinguish expected device migration or account setup from unexpected linking activity.
Likely telemetry
- Android OS notifications shown to the user for Signal or WhatsApp account linking
- User reports or helpdesk tickets about unexpected new-device linking notifications
- Mobile device management or mobile security logs, if they capture relevant notification or app security events
- Incident response notes, screenshots, or timestamps provided by the affected user
- Account or application security records available from the messaging application, where accessible
Detection direction
- Do not assume centralized visibility; first confirm whether this Android notification is collected anywhere beyond the user’s screen.
- Create a triage path for user-reported Signal or WhatsApp new-device linking notifications, including timestamp, device owner, expected device changes, and business relevance of the account.
- Tune handling for common benign cases such as legitimate phone replacement, device migration, or user-initiated account linking.
- Correlate with available mobile-management, identity, and helpdesk context rather than treating the notification alone as proof of compromise.
- Document blind spots where personal or unmanaged Android devices are used for business communications and notification evidence may be unavailable.
Mitigation priorities
- Establish clear user guidance for reporting unexpected Signal or WhatsApp new-device linking notifications.
- Maintain an incident response playbook for mobile messaging account concerns, including evidence preservation and account review steps.
- Where business use is permitted, define mobile communication governance for managed versus unmanaged Android devices.
- Validate mobile security and management tooling capabilities before relying on this analytic for SOC detection.
- Use policy and training to reduce ambiguity around legitimate device linking, phone replacement, and account recovery events.
Analyst notes and limits
This Glexia take is based only on the official ATT&CK analytic description: Android may show a notification when a Signal or WhatsApp account has been linked to a new device. The object provides no official detection logic, no tactics, no relationships, and no claims about adversary use. Its main defensive value is prompting validation of whether this user-visible mobile signal can be reported, collected, triaged, and documented.
Coverage depends heavily on local Android device management, app usage policy, user reporting behavior, and whether the organization can lawfully and technically collect relevant mobile evidence. The ATT&CK object does not specify detection logic, data sources, severity, attacker procedure, or confirmed telemetry availability.
Analytic 1845
The OS may show a notification to the user that the Signal or WhatsApp account has been linked to a new device.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fb4d65483070… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1845Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.