Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0599: Detection of SMS Control

DET0599 is a mobile ATT&CK detection strategy for SMS Control, a behavior where a malicious Android app may send, alter, or delete SMS messages without the...

MobileDET0599Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0599 is a mobile ATT&CK detection strategy for SMS Control, a behavior where a malicious Android app may send, alter, or delete SMS messages without the user’s authorization. For security leaders, the practical concern is that SMS is often tied to identity workflows, customer communications, fraud controls, and mobile device trust. Even though MITRE does not provide detection details for this strategy, the related technique highlights permissions and default SMS-handler behavior that defenders can use to assess whether mobile telemetry is sufficient.

Executive priority

Prioritize this as a mobile security and identity-risk validation item, especially where Android devices are used for business access, SMS-based authentication, customer messaging, or operational communications. Leaders should ask whether the organization can identify apps requesting SMS permissions, detect changes to default SMS handlers, and preserve enough mobile evidence for incident response. The main decision value is not a single alert, but confirming whether mobile management, app review, and SOC processes can surface unauthorized SMS access before it affects trust, fraud response, or business continuity.

Technical view

The detection strategy has no official MITRE detection text and no platform listed on the strategy object itself. The related ATT&CK technique, SMS Control, is in the mobile domain and lists Android as the related platform. SOC, mobile security, and IR teams should therefore validate Android-focused evidence around apps requesting RECEIVE_SMS or SEND_SMS permissions, apps becoming the default SMS handler, and activity involving SMS delivery or SMS content-provider access where such telemetry is available. Detection engineering should treat this as a coverage-assessment use case rather than a fully specified analytic from MITRE.

Likely telemetry

  • Mobile device management or enterprise mobility inventory showing installed Android apps and granted permissions
  • Android application manifest or app-risk analysis data identifying RECEIVE_SMS and SEND_SMS permission requests
  • Device state or policy telemetry showing which app is configured as the default SMS handler
  • Mobile security logs or alerts for suspicious SMS-related permission use or app behavior
  • Incident response collection from affected Android devices, including installed apps, permission grants, and SMS-handler configuration where legally and operationally appropriate

Detection direction

  • Validate that mobile inventory can identify apps requesting SMS-related permissions, especially RECEIVE_SMS and SEND_SMS.
  • Confirm whether the SOC can see or investigate changes to the default SMS handler on Android devices.
  • Tune reviews to account for legitimate SMS apps and business-approved messaging tools to reduce false positives.
  • Prioritize correlation with app provenance, installation timing, permission changes, and user reports of missing, altered, or unexpected SMS messages.
  • Document the blind spot if endpoint or mobile management tooling cannot collect Android SMS permission, default-handler, or app configuration evidence.

Mitigation priorities

  • Maintain an approved-app and mobile policy baseline for Android devices that restricts unnecessary SMS permissions where supported by management controls.
  • Review mobile app onboarding and risk assessment processes for SMS permission use before allowing apps on managed devices.
  • Ensure incident response playbooks include collection of installed apps, permission grants, and default SMS-handler state for suspected mobile compromise.
  • Reduce reliance on SMS for sensitive authentication or recovery workflows where stronger alternatives are available and appropriate.
  • Use compliance and audit evidence to show that mobile permissions and high-risk app capabilities are reviewed, not just that devices are enrolled.
Analyst notes and limits

This take is intentionally conservative because the ATT&CK detection strategy object provides no official description or detection guidance. The relationship to technique T1582, SMS Control, supplies the core context: Android SMS permissions, possible default SMS-handler registration, and unauthorized SMS send, alteration, or deletion behavior. Local device-management capabilities will determine whether this can be monitored directly or only assessed through app review and IR collection.

Platforms and tactics are not specified on the detection strategy object. Detection logic, data sources, analytic thresholds, and known false-positive patterns are not supplied by MITRE for DET0599. Any organization-specific conclusion about exposure or detection coverage requires local Android fleet inventory, mobile security telemetry, and policy evidence.

Official MITRE ATT&CK definition

Detection of SMS Control

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1582 SMS Control This object detects SMS Control.
Relationship explorer

All related ATT&CK context

detects · Technique T1582: SMS Control Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f50b37c6c7f6f1ea...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f50b37c6c7f6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0599
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use