DET0703: Detection of Call Control
DET0703 is a mobile ATT&CK detection strategy for identifying behavior related to Call Control, where an Android application may make, answer, forward, or...
Analyst context for executives and security teams
DET0703 is a mobile ATT&CK detection strategy for identifying behavior related to Call Control, where an Android application may make, answer, forward, or block phone calls without user authorization. For leaders, the practical issue is not just unwanted calls; it is loss of trust in mobile communications that may support executives, field staff, incident response coordination, customer operations, or other voice-dependent workflows.
Executive priority
Treat this as a mobile security and resilience question: do you know which Android apps can control phone calls, and can your SOC or mobile management program prove it? Priority is higher for users or functions where call availability, privacy, or call routing matters to business operations. This also creates useful audit evidence around mobile app governance, permission review, and incident response readiness.
Technical view
The ATT&CK detection strategy itself has no official detection text, platforms, or tactics listed, but it detects mobile technique T1616: Call Control, whose related platform is Android. SOC, mobile security, and IR teams should validate whether they can observe Android apps requesting or using call-control capabilities such as ANSWER_PHONE_CALLS and CALL_PHONE, and whether they can correlate that with app identity, install source, user context, and call activity. Because legitimate dialers, accessibility tools, collaboration apps, and telecom-related apps may need phone permissions, detection should focus on unauthorized, newly installed, unusual, or policy-violating applications rather than permission presence alone.
Likely telemetry
- Android application inventory from MDM/UEM or mobile security tooling
- Android permission grants or permission requests, especially ANSWER_PHONE_CALLS and CALL_PHONE
- App installation, update, sideloading, and source metadata where available
- Call logs, call initiation/answering events, or telephony-related audit data where privacy policy and platform controls permit collection
- Mobile threat defense or endpoint alerts tied to suspicious app behavior
Detection direction
- Confirm whether enterprise mobile telemetry covers Android app permissions and phone-call-related behavior; many environments only collect device compliance status and app inventory, which may be insufficient.
- Baseline approved apps that legitimately require phone-call permissions, then alert on high-risk permissions granted to unapproved, newly installed, sideloaded, or rarely used apps.
- Correlate call-control permissions with observed call anomalies, user complaints, app install timing, and device compliance state to reduce false positives.
- Account for blind spots in BYOD, unmanaged Android devices, privacy-restricted logging, and environments without mobile EDR/MDM telemetry.
- Use the relationship to T1616 as the detection scope: the goal is to identify unauthorized making, answering, forwarding, or blocking of calls, not generic mobile malware activity.
Mitigation priorities
- Establish mobile app governance for Android devices, including approval criteria for apps that request phone-control permissions.
- Restrict installation of untrusted or sideloaded apps where enterprise policy allows.
- Review and remove unnecessary phone permissions from applications during mobile security assessments or incident response.
- Prioritize monitoring for high-risk users and operational roles that depend on reliable or private voice communications.
- Include mobile call-control abuse in IR playbooks, including collection of app inventory, permission state, install timeline, and call-related evidence where available.
Analyst notes and limits
This object is a detection strategy, not a technique. Its official ATT&CK fields are sparse: no description, detection text, tactics, or platform are specified on the strategy itself. The actionable context comes from its relationship to T1616 Call Control in the mobile domain, with Android listed on the related technique and examples of relevant Android permissions provided in the related description.
Local validation is required. ATT&CK does not provide DET0703-specific analytics, data source requirements, false-positive guidance, or test criteria in the supplied fields. Actual visibility depends on Android management posture, privacy constraints, mobile telemetry depth, and whether devices are corporate-managed or BYOD.
Detection of Call Control
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1616 | Call Control | This object detects Call Control. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 473319660d1d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0703Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.