The defender correlates Android accessibility or UI-automation-capable behavior from an app identity with injected user-interface actions occurring on behalf of the user in another foreground application. The strongest Android evidence is accessibility-enabled or similarly privileged app behavior that triggers programmatic clicks, global actions, or text insertion into another app's active UI, especially when those actions occur without matching user touch interaction, while the injecting app is backgrounded or foreground-service-only, or when the target foreground app belongs to a sensitive category such as banking, payments, identity, communications, or enterprise access. The detection is strengthened when the injected input sequence is followed by target-app navigation, form submission, transaction progression, or network activity from the target context.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow |
| MobileEDR:telemetry | Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow | |
| MobileEDR:telemetry | Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship | |
| Application State (DC0123) | MobileEDR:telemetry | Injecting app remained backgrounded or foreground-service-only while injected click, global action, or text insertion occurred in a different foreground app |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before injected UI action and no matching touch interaction was observed for the target foreground app during injection sequence | |
| MobileEDR:telemetry | Sensitive app category remained foregrounded during injected UI sequence from different app identity |
| Field | Description |
|---|---|
| TimeWindow | Correlation window linking injected actions to target-app navigation, submission, or downstream network effects. |
| AllowedAppList | Approved accessibility, autofill, remote-assist, or QA/testing apps vary by organization and device group. |
| AllowedAccessibilityApps | Approved accessibility-enabled apps vary by assistive and enterprise workflow. |
| AllowedAutofillApps | Approved password managers or autofill-capable apps may legitimately inject text into fields. |
| RecentUserInteractionWindow | Defines how close an injected action must be to user interaction to be considered expected. |
| SensitiveForegroundAppCategories | Categories such as banking, payments, identity, communications, and enterprise access may warrant higher sensitivity. |
| GlobalActionBurstThreshold | Threshold for repeated programmatic global actions within a short window. |
| TextInjectionLengthThreshold | Minimum inserted text length or field-population pattern considered suspicious outside approved autofill workflows. |
| ConsentOrSetupGracePeriod | Grace period allowed after explicit user enablement of approved accessibility or autofill workflows before injection is treated as suspicious. |