DET0609: Detection of Match Legitimate Name or Location
This detection strategy matters because mobile adversaries may hide malicious apps or files by making them look like trusted resources, such as using famil...
Analyst context for executives and security teams
This detection strategy matters because mobile adversaries may hide malicious apps or files by making them look like trusted resources, such as using familiar names, icons, package names, or locations. For leaders, the business issue is not the naming trick itself; it is whether mobile security, SOC triage, and incident response can distinguish trusted applications from lookalikes before users, analysts, or automated controls assume they are safe.
Executive priority
Prioritize this as a mobile application trust and visibility problem. Security leaders should ask whether Android and iOS inventories can prove which apps, package identifiers, icons, file locations, and publishers are legitimate, and whether exceptions are reviewed. This supports incident decision-making, compliance evidence for mobile device governance, and risk reduction where mobile access is tied to corporate identity, email, messaging, or sensitive business workflows.
Technical view
The supplied ATT&CK object is a detection strategy for T1655.001, Match Legitimate Name or Location, in the mobile domain. Because no official detection text or platforms are specified for DET0609 itself, validation should be driven by the related technique context: Android and iOS artifacts that imitate legitimate names, package names, icons, or locations. SOC and detection teams should test whether mobile management, endpoint/mobile threat defense, app inventory, and device telemetry can identify lookalike apps or resources and correlate them with known-good baselines.
Likely telemetry
- Mobile device application inventory
- Application name, icon, package identifier, bundle identifier, and publisher/developer metadata
- Mobile device management or enterprise mobility management compliance records
- Mobile threat defense or endpoint alerts for suspicious mobile applications
- File or resource path/location metadata where available
Detection direction
- Validate detection logic against lookalike names, icons, package names, bundle identifiers, and suspicious app placement rather than relying on display name alone.
- Compare installed mobile apps and resources against an approved baseline of trusted applications and expected identifiers.
- Tune for false positives from legitimate regional variants, beta apps, rebranded apps, sideloaded internal apps, or vendor package changes.
- Confirm whether Android and iOS telemetry is equally available; ATT&CK relates the technique to both platforms, but DET0609 does not provide platform-specific detection guidance.
- Correlate mobile app anomalies with user, device, and identity context to prioritize cases involving privileged users or access to sensitive business services.
Mitigation priorities
- Maintain an authoritative mobile app allowlist or approved catalog with expected names, package or bundle identifiers, publishers, and distribution sources.
- Use mobile device management controls to restrict or review unapproved app installation where appropriate.
- Require documented review for apps that mimic trusted names, icons, or locations but do not match approved identifiers.
- Ensure SOC playbooks include mobile app identity verification steps during triage.
- Retain mobile inventory and compliance evidence to support audit, incident response, and post-incident scoping.
Analyst notes and limits
The object is sparse: DET0609 has no official description, no official detection text, and no explicit platforms or tactics. The practical interpretation comes from its relationship to T1655.001, which describes adversaries matching or approximating legitimate mobile names, icons, package names, or locations to evade observation.
This take does not assert active exploitation, actor attribution, prevalence, impact, or guaranteed detection. Local mobile management architecture, app inventory quality, and Android/iOS telemetry availability will determine real coverage.
Detection of Match Legitimate Name or Location
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | This object detects Match Legitimate Name or Location. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 57ce6953607f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0609Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.