DET0717: Detection of Native API
DET0717 is a MITRE ATT&CK mobile detection strategy associated with detecting the Android Native API technique (T1575). The business significance is that n...
Analyst context for executives and security teams
DET0717 is a MITRE ATT&CK mobile detection strategy associated with detecting the Android Native API technique (T1575). The business significance is that native Android code can execute below the level of ordinary Java/SDK activity, which may reduce visibility for teams that rely only on high-level application or mobile management signals. For security leaders, this is a prompt to verify whether mobile threat monitoring, app review, and incident response processes can recognize suspicious use of native code rather than assuming standard mobile telemetry is sufficient.
Executive priority
Prioritize this where Android devices, internally developed Android apps, or third-party mobile apps are material to operations, regulated workflows, or executive access. The key decision is whether current mobile security controls and audit evidence can show visibility into native-code behavior, not just installed apps and user activity. Because the official detection strategy has no published detection text, leaders should treat this as a coverage-validation item rather than a ready-made analytic.
Technical view
This detection strategy detects T1575 Native API in the mobile ATT&CK domain. The related technique describes adversaries using Android’s Native Development Kit to write C/C++ native functions compiled directly to machine code, enabling lower-level execution than typical Android SDK calls. SOC, detection engineering, and IR teams should validate whether Android-focused telemetry can expose native libraries, native function execution indicators, app package contents, and behavioral differences between ordinary SDK/API activity and native-code execution. Any detection logic should be built and tested locally because the ATT&CK object provides no official detection procedure, platforms on the strategy itself, or tactics.
Likely telemetry
- Android application package and library inventory, including native library presence where available
- Mobile endpoint or mobile threat defense telemetry related to app behavior
- Application vetting or reverse-engineering outputs for Android apps
- Device and app execution logs available through enterprise mobile security tooling
- Incident response artifacts from Android devices or app analysis environments
Detection direction
- Validate whether existing mobile monitoring distinguishes native-code behavior from normal Android SDK/API usage.
- Use the relationship to T1575 as context: focus on Android Native API visibility, not generic mobile detections.
- Account for false positives: legitimate Android applications may use the NDK for performance or compatibility reasons, so native code presence alone should not be treated as malicious.
- Correlate native-code indicators with suspicious app behavior, provenance, permissions, deployment context, and incident timeline evidence.
- Document blind spots where mobile management, EDR, or app review tooling cannot inspect native libraries or lower-level execution paths.
Mitigation priorities
- Start with inventory: identify Android exposure, business-critical mobile apps, and whether those apps use native components.
- Strengthen mobile app review and approval processes for internally developed and third-party Android apps, especially where native libraries are present.
- Ensure mobile security tooling and IR procedures can collect evidence from Android apps and devices relevant to native-code analysis.
- Create detection engineering requirements from local telemetry rather than relying on this ATT&CK object as a complete analytic.
- Maintain compliance evidence showing how mobile application risk and device telemetry are reviewed for critical workflows.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description or detection text. Its practical value comes from the relationship to T1575 Native API, which provides the Android Native API context. Treat DET0717 as a pointer for coverage assessment and detection design rather than a prescriptive rule.
Platforms and tactics are not specified on the detection strategy itself, and no official detection logic is provided. Android relevance is supported only by the related T1575 technique. Local tooling, app portfolio, and device-management evidence are required to determine actual detection coverage.
Detection of Native API
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1575 | Native API | This object detects Native API. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6d9d71a9bd40… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0717Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.