Correlates (1) acquisition or presence of elevated control paths capable of forcing a lock state or blocking user interaction, (2) invocation of screen-locking or UI-denial behavior such as DevicePolicyManager lock operations, persistent overlays, accessibility-driven navigation interruption, or foreground lock-screen impersonation, and (3) immediate transition of the device into an unavailable or repeatedly re-locked state while the responsible application remains installed and active. The defender observes a causal chain where an application first gains the ability to control lock-related behavior, then forces or simulates lockout, and the device becomes unusable to the legitimate user.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | application enabled as device administrator, device owner, or profile owner before screen-lock or password-control activity |
| android:MDMLog | application granted accessibility service privileges capable of intercepting UI flow or sustaining user-interaction denial before lockout event | |
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between privileged control acquisition, lockout action, and resulting device lock state |
| ProtectedRoleSet | Set of elevated roles that materially increase lockout capability, such as device admin, device owner, profile owner, or accessibility service |
| LockActionSet | Framework actions treated as lockout-relevant, including lockNow, password-control changes, overlay persistence, and UI-denial actions |
| AllowedAdminApps | Baseline of legitimate enterprise or security apps expected to invoke lock-related controls |
| RelockThreshold | Number of repeated lock or lock-like transitions in a short interval required before escalation |
| UplinkBytesThreshold | Outbound traffic threshold confirming continued meaningful activity after lockout |