DET0625: Detection of System Checks
DET0625 is a mobile ATT&CK detection strategy for behavior related to System Checks, where malware may look for signs that it is running in a sandbox, emul...
Analyst context for executives and security teams
DET0625 is a mobile ATT&CK detection strategy for behavior related to System Checks, where malware may look for signs that it is running in a sandbox, emulator, virtualized device, or analysis environment and then hide or change behavior. The business significance is that mobile malware may appear benign during testing or automated analysis, causing leaders to overestimate detection coverage and underestimate incident scope.
Executive priority
Treat this as a validation issue for mobile security and incident response readiness: can your teams recognize when an app or implant is checking its environment before deciding whether to reveal payloads or core functions? This matters for confidence in malware triage, managed detection outcomes, audit evidence around mobile threat monitoring, and decisions about whether a suspicious mobile artifact has been fully analyzed or only partially observed.
Technical view
The supplied ATT&CK object has no official detection text or platform field, but its relationship to T1633.001 ties it to Android and iOS System Checks. SOC, detection engineering, and IR teams should validate whether mobile analysis workflows can surface attempts to identify emulators, sandboxes, virtualization artifacts, analysis tooling, or conditions that cause the sample to disengage or delay additional payload delivery. Coverage should be assessed across both static review and dynamic/mobile sandbox execution where those capabilities exist.
Likely telemetry
- Mobile application static analysis results showing environment, device, emulator, sandbox, or analysis-artifact checks
- Dynamic mobile sandbox or emulator execution logs
- Mobile EDR or MTD behavioral telemetry, where deployed
- Device and application runtime logs from Android or iOS test/analysis environments
- Network activity during mobile app detonation or controlled execution
Detection direction
- Validate that mobile malware analysis does not rely only on a single sandbox or emulator run, because the related technique explicitly concerns behavior changes in virtualized or analysis environments.
- Look for discrepancies between static indicators of system-check logic and dynamic behavior that appears benign or inactive.
- Tune analysis processes to flag environment-detection logic as suspicious context, even when no secondary payload is observed during execution.
- Use relationship context from T1633.001 to focus validation on Android and iOS mobile analysis coverage, not enterprise endpoint assumptions.
- Account for false positives: legitimate apps may inspect device model, OS version, hardware capability, or runtime environment for compatibility, so detection should consider suspicious combinations and follow-on behavior rather than single checks alone.
Mitigation priorities
- Prioritize resilient mobile malware triage processes that combine static and dynamic analysis instead of depending on one execution environment.
- Maintain controlled analysis environments that can vary device characteristics and reduce obvious sandbox or emulator artifacts where operationally feasible.
- Ensure incident response playbooks treat apparent non-execution or disengagement as inconclusive when system-check behavior is present.
- Document mobile detection and analysis limitations for compliance and leadership reporting so coverage claims are not overstated.
- Where mobile threat defense or managed detection is in scope, require evidence that conditional behavior and sandbox-evasion indicators are reviewed during suspicious app investigations.
Analyst notes and limits
This take is based on the detection strategy identifier DET0625 and its relationship to mobile technique T1633.001, System Checks. The detection strategy itself does not provide an official description, detection logic, tactics, or platforms, so the practical guidance is derived from the related technique description and constrained to defensive validation.
ATT&CK provides sparse fields for this detection strategy: no official detection text, no detection analytics, and no direct platform list on the strategy object. Local telemetry, mobile tooling, app inventory, and IR procedures are required to determine actual coverage.
Detection of System Checks
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1633.001 | System Checks Sub-technique | This object detects System Checks. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7693793599fe… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0625Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.