Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0719: Detection of Hooking

DET0719 is a MITRE ATT&CK mobile detection strategy for identifying hooking behavior associated with Android technique T1617. The business significance is...

MobileDET0719Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0719 is a MITRE ATT&CK mobile detection strategy for identifying hooking behavior associated with Android technique T1617. The business significance is that hooking can let a compromised or rooted mobile device falsify what security tools and applications see, making device state, app behavior, or artifact checks unreliable. For leaders, the issue is not just malware detection; it is whether mobile trust decisions, compliance evidence, and incident triage can be relied on when system API results may be manipulated.

Executive priority

Prioritize this where Android devices are used for privileged business workflows, regulated data access, executive communications, field operations, or operational technology support. Security leaders should ask whether mobile security controls can identify rooted or framework-modified devices, whether high-risk devices are blocked from sensitive access, and whether incident responders have evidence sources beyond application-level checks that could be hooked or falsified.

Technical view

The supplied relationship says this detection strategy detects T1617 Hooking in the mobile ATT&CK domain, with the related technique platform listed as Android. SOC, mobile security, and IR teams should validate whether their telemetry can reveal signs of root frameworks or modules such as Xposed or Magisk, unexpected modification of system API behavior, and inconsistencies between device-reported state and independent integrity or management signals. Because the official DET0719 object has no detection text, tactics, or platform field of its own, teams should treat it as a validation prompt rather than a complete analytic specification.

Likely telemetry

  • Mobile device management or mobile endpoint security posture data for Android devices
  • Root or device integrity status, including changes over time
  • Inventory or indicators of root frameworks, framework modules, or modified system components where available
  • Application and system logs that show security checks, permission state, or device state inconsistencies
  • Mobile app attestation or integrity results for applications that gate sensitive access

Detection direction

  • Validate that mobile detections do not rely only on API values that hooking could alter; compare device-reported state with independent management, attestation, or integrity signals where available.
  • Tune for high-confidence combinations, such as rooted-device indicators plus framework/module evidence plus mismatched security posture, to reduce false positives from legitimate testing or developer devices.
  • Establish an exception process for sanctioned rooted or research devices so alerts on production business devices remain actionable.
  • Confirm whether SOC playbooks explicitly handle the possibility that on-device logs or application checks may be manipulated by hooking.
  • Map alerts to T1617 Hooking, but avoid over-attributing intent or malware family because the supplied ATT&CK data does not provide attribution or campaign context.

Mitigation priorities

  • Define policy for whether rooted or framework-modified Android devices may access corporate resources, especially sensitive applications and privileged accounts.
  • Use mobile access controls that can deny or step up authentication when device integrity is uncertain.
  • Maintain Android patch and vulnerability management processes to reduce opportunities for system exploits that can enable root access.
  • Require stronger integrity or attestation checks for applications handling regulated, financial, executive, or operationally sensitive data.
  • Prepare IR procedures for collecting corroborating evidence when a device may be manipulating local API responses or security artifacts.
Analyst notes and limits

This take is based on DET0719 and its supplied relationship to T1617 Hooking. The most useful defensive question is whether the organization can still make trustworthy access and incident decisions when Android device state may be falsified through root frameworks or hooked system calls.

The official detection strategy object provides no description, no detection logic, no tactics, and no platform field of its own. Platform and behavior context come from the supplied relationship to T1617, which lists Android and describes hooking for evasion. Local device fleet composition, mobile security tooling, logging depth, and acceptable-use policy are required to turn this into a concrete detection or control plan.

Official MITRE ATT&CK definition

Detection of Hooking

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1617 Hooking This object detects Hooking.
Relationship explorer

All related ATT&CK context

detects · Technique T1617: Hooking Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
880f88fe0ac3a12d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 880f88fe0ac3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0719
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use