From the defender’s view: an app retrieves opaque code (DEX/SO/JAR/JS) over the network or IPC, writes it into an app-writable path, optionally performs verification-bypass behaviors (reflection, addJavascriptInterface exposure, or execmem friction), and then loads/executes that code via DexClassLoader/PathClassLoader, dlopen, or WebView bridge invocation within a short window. The analytic correlates Network Content → File Creation/Modification → OS API Execution (loader/syscall/SELinux friction) → Module Load (DexClassLoader/dlopen) and, for WebView paths, Application Log signals of JavaScript interface attachment.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript) |
| File Creation (DC0039) | android:logcat | Create/write under /data/data/ |
| OS API Execution (DC0021) | android:logcat | SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID |
| Module Load (DC0016) | android:logcat | DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max correlation window between download → write → load (e.g., 10–60s depending on device/workload). |
| ContentTypeList | List of MIME types considered ‘code-like’ (octet-stream, zip, java-archive, x-dex, x-sharedlib, javascript). |
| WritablePathRegex | Regex for app-writable destinations to watch (/data/data/ |
| PayloadEntropyThreshold | Entropy cutoff to flag likely code blobs (e.g., ≥ 7.2). |
| KnownGoodCDNAllowlist | CDNs/domains expected for legitimate updates to reduce FPs. |
| KnownGoodLoaderAllowlist | Bundles/libs known to legitimately load from writable paths (dev/test apps). |
| JSInterfaceNameList | Names of allowed WebView JS interfaces for the org (e.g., analytics only). |
| UserContext | Foreground/background, Work Profile, dev mode to scope alerts. |
From the defender’s view: a sandboxed app retrieves code-like content (JS/Mach-O/bundles), writes it to container tmp/Caches, performs memory permission changes (RW→RX/RWX) or directly loads via dyld/dlopen from writable paths, sometimes preceded by 3rd-party hotpatch frameworks (e.g., JSPatch-like behavior) or script engine evaluation. The analytic correlates Network Content → File Creation → OS API Execution (memory permission change) → Module Load (dyld/dlopen) and/or Process Access (codesign validation touches), with optional scripting engine events.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | iOS:unifiedlog | Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o) |
| File Creation (DC0039) | iOS:unifiedlog | Create/write in /var/mobile/Containers/Data/Application/ |
| OS API Execution (DC0021) | iOS:unifiedlog | mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files |
| Module Load (DC0016) | iOS:unifiedlog | dlopen/image load from app-writable path (tmp, Caches) outside bundled resources |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max correlation window between download → write → load (e.g., 15–60s). |
| ContentTypeList | MIME list treated as code-like (octet-stream, zip, javascript, x-mach-o). |
| WritablePathRegex | Regex for app container tmp/Caches writable paths. |
| PayloadEntropyThreshold | Entropy cutoff to flag code blobs (e.g., ≥ 7.3). |
| KnownJITAllowlist | Bundles that legitimately do JIT/script eval to reduce RWX noise. |
| WritableLoadPathRegex | Regex for loads from writable paths only (exclude app bundle). |
| UnsignedExecPolicy | Handle enterprise/dev-provisioned unsigned execution contexts. |
| UserContext | Foreground/background or Work Profile state to filter noise. |