The defender correlates app-driven shell-launch behavior with subsequent execution of Unix shell processes or shell-script activity under the same app context, especially when execution occurs from background state, without recent user interaction, or is followed by file-system, privilege-escalation, or network effects inconsistent with the app's declared role. The analytic prioritizes Android-observable control-plane effects: Runtime or ProcessBuilder invocation, spawn of sh/toybox/toolbox/su or equivalent shell process, script-file staging or redirected output, and post-execution network or local artifact creation.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | MobileEDR:telemetry | Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation |
| Command Execution (DC0064) | MobileEDR:telemetry | Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between shell-launch method use, Unix shell process creation, and follow-on file or network effects |
| AllowedAppList | Apps legitimately expected to run shells, such as approved terminal apps, enterprise support tools, device management agents, or developer tooling |
| AllowedProcessPatterns | Expected shell binaries, parent-child process chains, and helper-process patterns for approved apps |
| ForegroundStateRequired | Whether Unix shell execution should occur only during active user-driven workflows |
| CommandArgumentRiskPatterns | Environment-specific list of suspicious shell arguments, pipes, redirection, chaining operators, or privilege-escalation references |
| SensitivePathPatterns | Environment-specific list of high-value file paths or system locations touched after shell execution |
| PostExecutionWriteThreshold | Minimum number or size of artifacts created after shell execution to increase confidence |
| UplinkBytesThreshold | Minimum outbound volume after shell execution to treat network behavior as meaningful |
The defender correlates managed-app process-launch or shell-like execution effects with subsequent file or network activity by the same app, then raises confidence when execution occurs in background context, without recent user interaction, or appears tied to command delivery or output exfiltration. Because direct Unix-shell observability is typically weaker on iOS and child processes remain constrained by the app sandbox, the analytic anchors on process-execution effects where available and then on lifecycle, file, and network side effects rather than assuming rich shell-parameter visibility in all environments.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | MobileEDR:telemetry | Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between shell-like execution indication, process effects, and follow-on file or network behavior |
| AllowedAppList | Managed apps legitimately expected to perform debugging, remote support, or enterprise automation tasks |
| AllowedProcessPatterns | Expected helper-process or process-launch patterns for approved managed apps |
| ForegroundStateRequired | Whether shell-like execution should occur only during active user-driven workflows |
| ArtifactPathPatterns | Expected temporary or output file locations for approved app behavior |
| UplinkBytesThreshold | Minimum outbound volume after shell-like execution to treat network behavior as meaningful |