Correlates (1) an application obtaining or maintaining elevated control mechanisms capable of resisting removal (device administrator, accessibility control, managed-owner posture), (2) user navigation into uninstall or application-management flows, and (3) immediate UI redirection, back-navigation injection, modal dismissal, or failed uninstall completion followed by continued app presence. Defender observes a causal chain where a removal attempt is actively disrupted and the target application remains installed.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | application enabled as device administrator, device owner, profile owner, or equivalent elevated management role before uninstall attempt |
| android:MDMLog | application granted accessibility service privileges capable of screen observation or global action invocation before removal attempt | |
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between uninstall UI entry, interference event, and continued install state |
| ProtectedRoleSet | Set of elevated roles considered removal-resistant (device admin, owner modes, accessibility) |
| GlobalActionSet | UI actions considered suspicious during uninstall flows (BACK, HOME, RECENTS) |
| AllowedAccessibilityApps | Known legitimate accessibility services expected to use global actions |
| UninstallRetryThreshold | Number of repeated uninstall attempts before escalation |
| UplinkBytesThreshold | Outbound traffic threshold confirming continued meaningful activity after failed removal |