DET0675: Detection of Location Tracking
DET0675 is a mobile detection strategy for recognizing behavior associated with ATT&CK T1430, Location Tracking. The business issue is not only data privac...
Analyst context for executives and security teams
DET0675 is a mobile detection strategy for recognizing behavior associated with ATT&CK T1430, Location Tracking. The business issue is not only data privacy: unauthorized location access can expose executives, field staff, facilities, routes, or sensitive operations. Because the ATT&CK object does not provide an official detection method, teams should treat this as a validation prompt: confirm whether mobile security, MDM/UEM, and privacy controls can show which apps can access location data and when that access is unusual.
Executive priority
Prioritize this where mobile devices are used by executives, traveling staff, regulated workforces, field operations, or roles tied to physical security. Leaders should ask whether the organization has evidence of mobile app location permissions, background location access, and policy exceptions across Android and iOS environments. This supports privacy governance, incident response triage, compliance evidence, and cyber-physical risk management.
Technical view
The related ATT&CK technique is T1430 Location Tracking in the mobile domain, with Android and iOS listed on the related technique. ATT&CK states adversaries may track a device’s physical location through standard OS APIs via malicious or exploited applications. For Android, the relationship text specifically references location permissions such as ACCESS_FINE_LOCATION, ACCESS_COAURSE_LOCATION, and background location access. SOC and mobile security teams should validate whether they can inventory apps, permission grants, manifest-declared location permissions, and background location use, then correlate that activity with device ownership, user role, app legitimacy, and business need.
Likely telemetry
- MDM/UEM inventory of enrolled mobile devices and installed applications
- Mobile app permission inventory, including location and background location permissions
- Android application manifest data for declared location permissions where available
- OS privacy or location-access events where collected
- Mobile EDR or mobile threat defense alerts about suspicious or risky applications
Detection direction
- Validate that mobile telemetry can distinguish expected location use from unusual or unnecessary access by app, user, device, and role.
- Review apps requesting fine, coarse, or background location access, especially newly installed, unmanaged, sideloaded, or recently updated applications.
- Tune detections for legitimate business apps such as navigation, fleet, safety, logistics, or workforce-management tools to reduce false positives.
- Account for BYOD and privacy restrictions that may limit visibility into app permissions or location-access history.
- Use the T1430 relationship as context: focus on malicious or exploited applications using normal OS APIs, not only obvious malware indicators.
Mitigation priorities
- Apply mobile app governance: approved app sources, app vetting, and review of applications requesting location permissions.
- Enforce least-privilege mobile privacy settings where policy and device ownership allow, especially for background location access.
- Use MDM/UEM policy to restrict unmanaged or high-risk apps on managed devices where appropriate.
- Define incident response steps for suspected unauthorized location tracking, including device triage, app removal, user notification, and evidence preservation.
- Maintain audit-ready records of mobile location-permission policy, exceptions, and monitoring coverage.
Analyst notes and limits
The supplied ATT&CK detection strategy has no official description or detection text, so this take is derived from its relationship to T1430 Location Tracking and the provided relationship description. The strongest defensive value is validating mobile visibility and control coverage rather than assuming a specific analytic exists.
Platforms are not specified on the detection strategy itself; Android and iOS are only supplied through the related T1430 technique. No ATT&CK tactics, official detection logic, data sources, mitigations, or procedure examples were provided. Local device ownership model, MDM/UEM coverage, privacy constraints, and mobile telemetry availability will determine practical detectability.
Detection of Location Tracking
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1430 | Location Tracking | This object detects Location Tracking. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e4080b885476… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0675Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.