Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0299: NotCompatible

NotCompatible is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. [1]

MobileS0299MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

NotCompatible matters because MITRE describes it as an Android malware family with variants that became more sophisticated over time, and its ATT&CK relationship links it to exploitation of remote services from a mobile device’s access path into enterprise resources. For leaders, the practical issue is not only mobile malware cleanup; it is whether employee or managed mobile devices can become a bridge into internal services through local connectivity or VPN.

Executive priority

Treat this as a mobile-to-enterprise access risk. Security leaders should ask whether mobile device access to internal systems is governed, monitored, and segmented; whether VPN and remote service exposure from mobile devices is included in incident response playbooks; and whether audit evidence can show mobile access controls, vulnerability management, and logging coverage. Because ATT&CK provides no detection guidance for this malware object, coverage decisions should be based on local telemetry validation rather than assumptions.

Technical view

ATT&CK identifies NotCompatible as an Android malware family used between at least 2014 and 2016, with a relationship to T1428, Exploitation of Remote Services. SOC and IR teams should validate whether they can connect mobile device identity, VPN sessions, network paths, and access to enterprise services when investigating suspicious mobile-originated activity. Detection engineering should focus on the related behavior: mobile devices using enterprise connectivity to reach remote services in unusual ways, especially where those services have exploitable vulnerabilities or weak exposure controls. The object has no ATT&CK tactics, platforms field, aliases, or official detection text, so any detection content must be locally derived and tested.

Likely telemetry

  • Mobile device management or enterprise mobility management inventory and compliance state for Android devices
  • Mobile security alerts or malware verdicts where deployed
  • VPN authentication, session, source device, and assigned IP logs
  • Identity provider sign-in logs tied to mobile access
  • Network flow, proxy, DNS, and firewall logs showing mobile-originated access to internal resources

Detection direction

  • Validate whether mobile-originated VPN or local network traffic can be attributed back to a user and device during an investigation.
  • Look for unusual mobile device access to internal remote services, while tuning carefully for legitimate administrative, support, and business application traffic.
  • Prioritize correlation between mobile security events, VPN sessions, identity sign-ins, and internal service logs rather than relying on any single alert source.
  • Use the T1428 relationship to test whether detection coverage exists for attempted exploitation of services reachable from mobile access paths.
  • Document blind spots where bring-your-own-device, unmanaged Android devices, split tunneling, weak device identity, or missing VPN/session logs prevent investigation.

Mitigation priorities

  • Inventory which mobile devices are allowed to access internal resources and under what conditions.
  • Require strong identity, device compliance, and least-privilege access for mobile connectivity to enterprise services.
  • Segment or restrict mobile VPN and local network access so mobile devices cannot broadly reach internal remote services by default.
  • Prioritize vulnerability management for services exposed to mobile access paths, especially services reachable over VPN.
  • Ensure mobile access, VPN, identity, and internal service logging are retained long enough to support incident response and compliance evidence.
Analyst notes and limits

The supplied ATT&CK object is sparse: NotCompatible is described as Android malware used between at least 2014 and 2016, and the only behavioral relationship provided is use of T1428, Exploitation of Remote Services. The strongest decision value is therefore in validating mobile access governance and telemetry around remote service exposure, not in asserting specific malware indicators or guaranteed detection logic.

No official ATT&CK detection, tactics, aliases, labels, or platform field are provided for this malware object. The description supports Android as the malware family context, while the related technique lists Android and iOS platforms. Local environment architecture, mobile management coverage, VPN design, and service exposure data are required to determine actual risk and detection coverage.

Official MITRE ATT&CK definition

NotCompatible

NotCompatible is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1428 Exploitation of Remote Services

NotCompatible has the capability to exploit systems on an enterprise network.CitationLookout-NotCompatible
Relationship explorer

All related ATT&CK context

uses · Technique T1428: Exploitation of Remote Services Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
56c53ca0ae3e8e8d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 56c53ca0ae3e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lookout-NotCompatible

    Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.

    Open source URL
  2. [2]
    NotCompatible

    (Citation: Lookout-NotCompatible)

  3. [3]
    mitre-attack S0299
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use