Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1418.001: Security Software Discovery

Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions.

MobileT1418.001Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Security Software Discovery on mobile devices matters because it can help an adversary decide how to proceed after landing on Android or iOS: whether security tools are present, what configurations may block them, and whether to continue infection or change behavior. For leaders, this is less about the discovery action alone and more about whether mobile defenses can show when hostile apps are checking the security posture of a device before taking follow-on actions.

Executive priority

Prioritize this as a mobile visibility and resilience question: can the organization prove which mobile devices are on recent OS versions, what security applications/configurations are present, and whether suspicious apps are attempting to discover them? This supports incident triage, mobile security control validation, and audit evidence around device hygiene. The relationship to Android malware examples including Gustuff, Exobot, and BRATA makes it relevant for financial, credential, and mobile fraud risk discussions, without implying current exposure.

Technical view

SOC, detection engineering, and IR teams should treat T1418.001 as a sub-technique of mobile Software Discovery focused on security applications and configurations. ATT&CK provides no native detection text for this object, but it is related to DET0680, Detection of Security Software Discovery. Validate coverage separately for Android and iOS because platform visibility and application enumeration behavior differ. Investigations should look for suspicious mobile apps or processes attempting to enumerate installed security products or security-relevant configuration before other actions.

Likely telemetry

  • Mobile device inventory showing Android and iOS platform, OS version, and security application presence
  • Mobile management or compliance records for security configuration state where available
  • Mobile threat defense or endpoint alerts related to application or security-tool enumeration
  • Application behavior telemetry indicating installed-app or security-configuration discovery attempts where the platform exposes it
  • Incident response device collection artifacts showing installed applications, permissions, and relevant configuration state

Detection direction

  • Map DET0680-style logic to the organization’s actual mobile telemetry rather than assuming coverage from desktop endpoint tools.
  • Tune for suspicious enumeration of security applications/configurations by untrusted or unexpected apps; account for legitimate mobile management, security, support, and inventory tools as likely benign sources.
  • Validate Android and iOS separately, since OS controls and available telemetry may limit what can be observed.
  • Use relationship context from the parent Software Discovery technique to correlate this behavior with broader installed-application discovery and possible follow-on activity.
  • When detections fire, preserve device inventory, OS version, app list, permissions, and recent security configuration state for IR context.

Mitigation priorities

  • Prioritize M1006: keep mobile devices on recent OS versions, since newer mobile OS releases can include both vulnerability fixes and security architecture improvements.
  • Use M1011 user guidance to reduce risky mobile behaviors and reinforce required security configuration practices.
  • Measure compliance: identify devices below required OS or configuration baselines and treat them as weaker points for mobile discovery and follow-on behavior.
  • Confirm that security application presence and configuration are visible to defenders, not just assumed by policy.
Analyst notes and limits

The ATT&CK object is a mobile sub-technique for Android and iOS with no specified tactics and no official detection text. Relationship context shows a detection strategy exists and that Gustuff, Exobot, and BRATA use this behavior; those examples are Android software references and should be used as context, not as attribution for a local incident.

This take is based only on the supplied ATT&CK fields and relationships. It does not establish active exploitation, organization-specific exposure, or guaranteed detection coverage. Local mobile management, logging, privacy settings, and platform restrictions will determine how much evidence is actually available.

Official MITRE ATT&CK definition

Security Software Discovery

Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1418 Software Discovery This object subtechnique of Software Discovery.
Associated objects

Groups, software, and campaigns

Malware Mobile

S0522: Exobot

Exobot is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.[1]

Android
Malware Mobile

S1094: BRATA

BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]

Android
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0680: Detection of Security Software Discovery Mobile subtechnique of · Technique T1418: Software Discovery Mobile mitigates · Mitigation M1011: User Guidance Mobile uses · Malware S0406: Gustuff Mobile uses · Malware S0522: Exobot Mobile uses · Malware S1094: BRATA Mobile mitigates · Mitigation M1006: Use Recent OS Version Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1011: User Guidance

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

Mitigation Mobile

M1006: Use Recent OS Version

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
2be8e7acb5fe9352...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 2be8e7acb5fe…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    NIST Mobile Threat Catalogue APP-12
    Open source URL
  2. [2]
    mitre-attack T1418.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use