An application is granted or maintains notification listener access, observes notification content from other applications (including sensitive sources such as SMS/email/2FA apps), processes or stores notification payloads, and optionally suppresses or programmatically interacts with notifications (dismiss/action triggers) without corresponding foreground user interaction. Detection correlates special access permission state + notification event interception + application background state + downstream data use (local write or network transmission).
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | NotificationListenerService enabled OR notification access granted to app not in enterprise-approved list |
| OS API Execution (DC0021) | MobileEDR:telemetry | App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction |
| Application State (DC0123) | MobileEDR:telemetry | Notification access event occurs while app_state=background AND device_state=locked OR no recent user interaction |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between notification interception and subsequent data write or network transmission varies by app behavior |
| AllowedAppList | Enterprise-approved apps with legitimate notification access (e.g., accessibility tools, wearables) |
| ForegroundStateRequired | Whether notification access is expected only when the app is foregrounded |
| UplinkBytesThreshold | Threshold for small outbound payloads indicative of notification content exfiltration |
| SensitiveSourceApps | Apps whose notifications are considered sensitive (SMS, email, authenticator apps) |