This research sheds light on the impact of user behavior on mobile that contributes to Advanced Persistent Threat (APT). Based on the research, there is a lack of understanding for APT derived from user behavior. User behavior can be defined as a user action performed on digital systems with or without malicious intent that leads to APT attacks. As a result, most Advanced Persistent Threat (APT) detection solutions failed to provide completeness and mitigate APT attacks. Therefore, this paper proposes a Mobile Advanced Persistent Threat detection based on a Device Behavior (SHOVEL) framework. This paper demonstrates how user behavior impacts Advanced Persistent Threat (APT) via social engineering attacks such as Spear phishing, watering hole, Repackaging the application, SQL injection, and Malware attacks. The proposed APT detection framework is a novel technique in the fight against APT that presents decision-making as self-adaptive, auto-predictive, and auto-reflective. Furthermore, it complies with Confidentiality, Integrity, and Availability (CIA) to protect sensitive information.