Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0686: Detection of SMS Messages

DET0686 is a mobile detection strategy focused on identifying access to SMS messages, related to ATT&CK technique T1636.004. The business issue is not just...

MobileDET0686Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0686 is a mobile detection strategy focused on identifying access to SMS messages, related to ATT&CK technique T1636.004. The business issue is not just text-message privacy: SMS can contain authentication codes, sensitive communications, operational instructions, or evidence of account recovery activity. For security leaders, this behavior matters where mobile devices are part of identity workflows, executive communications, incident response coordination, or regulated data handling.

Executive priority

Prioritize this as an identity, mobile security, and privacy-control validation issue. Leaders should ask whether the organization can detect or investigate unauthorized SMS access on managed Android and iOS devices, especially where SMS is used for authentication or business communications. Because the ATT&CK detection strategy has no official detection text and no platform listed on the detection object itself, coverage decisions should be evidence-driven: confirm what mobile telemetry is actually available, what MDM/mobile security controls can observe, and what incident responders can collect during a mobile investigation.

Technical view

This detection strategy detects T1636.004, SMS Messages, in the mobile ATT&CK domain. The related technique states that adversaries may use standard operating system APIs to gather SMS messages; on Android this may involve the SMS Content Provider, while iOS provides no standard API for SMS access. The related technique also notes that rooted or jailbroken devices may allow SMS access without user knowledge or approval. SOC, detection engineering, and IR teams should validate monitoring around SMS permission use, suspicious application behavior, device integrity state, and mobile management/security alerts, while recognizing that available visibility differs materially between Android and iOS.

Likely telemetry

  • Mobile device management or mobile security posture data for Android and iOS devices
  • Application permission inventory and changes, especially SMS-related permissions where available
  • Mobile application installation, update, and provenance data
  • Device integrity signals such as rooted or jailbroken status
  • Mobile security alerts related to suspicious application behavior or sensitive data access

Detection direction

  • Validate whether the organization can observe SMS-related application permissions and access indicators on managed Android devices, including permission changes and unusual apps with SMS access.
  • For iOS, account for the ATT&CK-noted limitation that there is no standard API for SMS access; detection should emphasize jailbreak status, suspicious device posture, and mobile security telemetry rather than assuming direct SMS-access visibility.
  • Tune detections with context about legitimate messaging, backup, carrier, device-management, and accessibility-related applications to reduce false positives.
  • Correlate mobile telemetry with identity events when SMS is used for authentication or account recovery, since SMS access may become material through credential or verification-code exposure.
  • Document blind spots for unmanaged devices, personal devices, limited MDM enrollment, disabled telemetry, or devices unavailable for forensic collection.

Mitigation priorities

  • Reduce business dependence on SMS for high-risk authentication or recovery workflows where feasible, prioritizing stronger authentication methods for executives, administrators, and sensitive roles.
  • Maintain mobile device management or equivalent mobile security coverage for devices that access business systems or receive business-relevant SMS content.
  • Enforce and monitor device integrity requirements where supported, with attention to rooted or jailbroken devices.
  • Review application permission governance, especially for apps requesting SMS access on Android.
  • Prepare mobile incident response procedures that define when and how devices can be collected, preserved, and examined.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, no official detection text, no tactics, and no platforms specified on the object. The strongest source context is its relationship to T1636.004, which describes SMS message access on Android and iOS and highlights Android SMS Content Provider access plus rooted or jailbroken device risk. Any operational detection content should be validated against the organization’s actual mobile management, mobile security, identity, and incident response telemetry.

This take is constrained to the supplied STIX fields, external reference, and relationship context. It does not assert active exploitation, attribution, guaranteed detectability, or specific vendor capabilities. Local device ownership models, MDM enrollment depth, OS versions, privacy constraints, and forensic access will determine practical coverage.

Official MITRE ATT&CK definition

Detection of SMS Messages

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1636.004 SMS Messages Sub-technique This object detects SMS Messages.
Relationship explorer

All related ATT&CK context

detects · Technique T1636.004: SMS Messages Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
936980bfc15c617f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 936980bfc15c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0686
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use