The defender correlates an app-attributed request to a legitimate public web platform with a subsequent outbound connection to a newly derived or previously unseen destination within a short time window. The behavior is strengthened when the initial request retrieves structured or encoded content followed by a pivot to a different domain or IP that was not previously contacted by the app, especially when occurring without user interaction, in background state, or immediately after app initialization or scheduled execution. This sequence reflects resolver retrieval followed by dynamic C2 resolution.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | VPN:MobileProxy | App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow |
| VPN:MobileProxy | DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity | |
| VPN:MobileProxy | Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category | |
| Application State (DC0123) | MobileEDR:telemetry | AppState=background or foreground_service active when resolver retrieval request occurred and pivot connection followed without foreground transition |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before resolver retrieval and subsequent pivot connection sequence | |
| OS API Execution (DC0021) | MobileEDR:telemetry | Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow |
| Application Permission (DC0114) | android:MDMLog | App initiating resolver→pivot sequence was unmanaged or not authorized to communicate with detected web-service class or external infrastructure |
| Field | Description |
|---|---|
| TimeWindow | Maximum allowed time between resolver retrieval and pivot connection (e.g., 5–60 seconds). |
| NewDomainThreshold | Defines what qualifies as a previously unseen or rare destination for the app or device. |
| AllowedServiceToDestinationMapping | Legitimate mappings between apps and expected downstream services. |
| UserInteractionThreshold | Defines acceptable delay between user interaction and network activity. |
| PayloadSizeThreshold | Small resolver responses followed by larger pivot traffic can indicate extraction behavior. |
The defender correlates a supervised-device or managed-app request to a legitimate web platform with a subsequent connection to a newly derived destination that is not part of the expected service interaction. Because iOS has weaker app-level telemetry, the strongest signal is a network-level sequence where a request to a known public platform is immediately followed by a connection to a different domain or IP, particularly when the device is locked, no recent user interaction occurred, and the bundle is not expected to interact with such downstream infrastructure.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | VPN:MobileProxy | App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow |
| VPN:MobileProxy | DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity | |
| Application State (DC0123) | MobileEDR:telemetry | DeviceLockState=locked or BackgroundRefresh active during resolver→pivot sequence |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before resolver request and pivot connection sequence | |
| Application Permission (DC0114) | iOS:MDMLog | Bundle performing resolver→pivot sequence not present in approved managed-app baseline or lacks expected service relationship |
| OS API Execution (DC0021) | iOS:unifiedlog | Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence |
| Field | Description |
|---|---|
| TimeWindow | Maximum allowed time between resolver retrieval and pivot connection. |
| NewDomainThreshold | Defines rarity or novelty of domain for the device or bundle. |
| AllowedServiceToDestinationMapping | Expected relationships between apps and external services. |
| BackgroundRefreshBaseline | Expected background network behavior for managed apps. |
| UserInteractionThreshold | Defines acceptable timing between user activity and network requests. |