The defender correlates SMS-relevant permission state or default SMS handler role with subsequent unauthorized SMS send, receive interception, message database modification, deletion, or concealment behavior by an application outside expected messaging workflows. The analytic prioritizes Android-observable control-plane effects: SEND_SMS or RECEIVE_SMS capability, default SMS handler change or exercise of SMS_DELIVER semantics, direct interaction with the SMS content provider or messaging database, and SMS activity occurring from background or locked-device state without recent user interaction.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | Managed app granted SEND_SMS or RECEIVE_SMS permission, or app role/policy indicates SMS-capable behavior inconsistent with approved enterprise function before SMS control activity |
| android:MDMLog | Default SMS handler changes to non-baselined application or managed app unexpectedly becomes or remains device default SMS app during SMS control phase | |
| OS API Execution (DC0021) | MobileEDR:telemetry | Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase |
| File Modification (DC0061) | MobileEDR:telemetry | Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between permission or role change, SMS control activity, message-store modification, and any follow-on network communication |
| AllowedAppList | Apps legitimately expected to send or manage SMS, such as default messaging apps, carrier tools, device migration apps, or approved enterprise communications apps |
| AllowedDefaultSMSHandlers | Approved packages allowed to become the default SMS handler on managed devices |
| AllowedDestinationList | Approved network destinations associated with legitimate messaging synchronization or carrier workflows |
| ForegroundStateRequired | Whether SMS send or message modification should occur only during active user-driven workflows |
| MessageModificationThreshold | Number of insert, update, or delete operations against SMS store within a short interval required before alerting |
| SMSSendRateThreshold | Maximum expected SMS send frequency for legitimate app behavior |
| HighRiskNumberPatterns | Environment-specific list of premium-rate, adversary-known, or non-business SMS destination patterns |