DET0606: Detection of Virtualization Solution
DET0606 is a mobile ATT&CK detection strategy for identifying use of Android virtualization solutions associated with technique T1670, Virtualization Solut...
Analyst context for executives and security teams
DET0606 is a mobile ATT&CK detection strategy for identifying use of Android virtualization solutions associated with technique T1670, Virtualization Solution. The business issue is that virtualization can change the assumptions behind mobile app isolation, monitoring, and sandbox-based controls. For security leaders, this is a prompt to verify whether mobile telemetry and app-risk processes can recognize when Android workloads or apps are running in virtualized environments that may reduce visibility or complicate incident analysis.
Executive priority
Treat this as a mobile security visibility and assurance question rather than a standalone alert. Leaders should ask whether Android device, application, and incident response programs can distinguish expected virtualization use from suspicious use, and whether evidence is sufficient for investigations, compliance reporting, and risk decisions. Priority is highest where Android devices support sensitive operations, regulated data access, privileged workflows, or cyber-physical processes.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics, but it detects mobile technique T1670, which is described for Android. SOC and detection teams should validate whether their mobile security stack records indicators of virtualization framework use, app execution context, device posture, sandbox boundary anomalies, and application behavior that differs between physical and virtualized execution. IR teams should ensure mobile triage playbooks preserve device state and app context so virtualization-related artifacts are not missed or overwritten.
Likely telemetry
- Mobile device management or enterprise mobility management device posture records
- Mobile threat defense alerts and device/app risk signals
- Android application inventory and package metadata
- Application runtime context and integrity signals where available
- Device OS, build, and feature capability information relevant to Android virtualization
Detection direction
- Confirm whether existing mobile controls can observe virtualization-related state on Android rather than assuming standard sandbox visibility is sufficient.
- Separate approved enterprise, developer, testing, or accessibility-related virtualization use from unexpected use on production devices.
- Correlate virtualization indicators with sensitive app access, anomalous app behavior, policy violations, or device posture changes to reduce false positives.
- Review blind spots on unmanaged/BYOD Android devices, privacy-restricted telemetry, and apps that do not expose runtime integrity signals.
- Because ATT&CK provides no official detection logic for DET0606, require local validation before using this as a coverage claim.
Mitigation priorities
- Inventory Android use cases where virtualization could materially affect data protection or monitoring assumptions.
- Define policy for acceptable virtualization use on managed devices and sensitive business workflows.
- Prioritize mobile device posture, app inventory, and mobile threat defense coverage for Android environments with access to critical data or operations.
- Update incident response procedures to check for virtualization context during Android investigations.
- Use the detection strategy as compliance and risk evidence only when supported by demonstrable telemetry, documented policy, and tested response procedures.
Analyst notes and limits
This Glexia take is based on the detection strategy metadata and its relationship to ATT&CK mobile technique T1670, Virtualization Solution. The source object itself contains no official description or detection guidance, so the practical guidance is framed around validation questions and telemetry classes rather than specific analytic logic.
ATT&CK does not specify platforms, tactics, detection logic, or implementation details for DET0606 in the supplied fields. The related technique supports Android context, but local device management model, app architecture, privacy constraints, and available mobile telemetry determine what can actually be detected.
Detection of Virtualization Solution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1670 | Virtualization Solution | This object detects Virtualization Solution. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c89099b331ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0606Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.