DET0644: Detection of Software Packing
DET0644 is a mobile ATT&CK detection strategy for identifying software packing associated with T1406.002. In business terms, packing matters because it can...
Analyst context for executives and security teams
DET0644 is a mobile ATT&CK detection strategy for identifying software packing associated with T1406.002. In business terms, packing matters because it can hide code inside Android or iOS applications and weaken reliance on simple file signatures. Leaders should treat this as an application trust and mobile monitoring question: can the organization recognize when mobile software has been compressed, encrypted, or altered in ways that obscure what will run at execution time?
Executive priority
Prioritize this where mobile devices or mobile applications are part of workforce access, sensitive workflows, or regulated evidence trails. The decision value is not that packing is automatically malicious, but that it can reduce confidence in signature-only controls and complicate incident triage. Executives should ask whether mobile app vetting, managed detection, and incident response processes can produce defensible evidence when an app’s executable content is concealed or unpacked in memory.
Technical view
The official detection strategy object does not provide detection logic, platforms, or tactics. Its relationship to T1406.002 supports a focus on mobile software packing for Android and iOS. SOC, detection engineering, and IR teams should validate whether their mobile security tooling, app analysis workflows, and forensic processes can identify packed or encrypted executables, changed file signatures, and cases where executable code is decompressed in memory. Detection should be treated as a triage signal that requires context, since legitimate software may also use packing or obfuscation.
Likely telemetry
- Mobile application package and executable metadata from app vetting or mobile security tools
- Static analysis results showing compressed, encrypted, or otherwise packed executable content
- File signature or hash observations that differ from expected known-good application baselines
- Runtime or forensic evidence indicating executable code is decompressed in memory
- Mobile device security, MDM, or EDR alerts related to suspicious application characteristics
Detection direction
- Confirm whether controls can inspect mobile application artifacts rather than relying only on known file signatures.
- Tune detections to separate known legitimate packed applications from suspicious or unexpected packing in enterprise-relevant apps.
- Correlate packing indicators with application provenance, installation source, permissions, device context, and user/business criticality before escalation.
- Validate IR access to runtime or memory-related evidence where available, because the related technique notes that decompression commonly occurs in memory.
- Document blind spots where mobile platforms, BYOD scope, privacy limits, or tooling constraints prevent collection of app or runtime evidence.
Mitigation priorities
- Establish an approved-source and app-vetting process for mobile applications used in business workflows.
- Maintain known-good baselines for sanctioned mobile apps so signature or packaging changes can be investigated.
- Ensure mobile security, MDM, and incident response procedures can preserve relevant application and device evidence.
- Use detection of packing as an investigation trigger, not a standalone verdict of maliciousness.
- Include mobile app integrity evidence in compliance and audit readiness where mobile access affects sensitive systems.
Analyst notes and limits
This take is based on the DET0644 detection strategy metadata and its ATT&CK relationship to T1406.002 Software Packing. The related technique describes adversaries using packing to conceal code, change file signatures, and decompress executable code in memory. Because no official detection text is supplied, the guidance emphasizes validation questions and evidence classes rather than specific analytics.
The supplied DET0644 object has no official description, detection text, tactics, or platforms. Android and iOS are supported only through the related T1406.002 technique. Local tooling, mobile management scope, app inventory, and privacy/legal constraints are required to determine actual detection coverage.
Detection of Software Packing
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1406.002 | Software Packing Sub-technique | This object detects Software Packing. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 07a2f46a6c49… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0644Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.