Defender correlates an app escalating file visibility (permissions/flags, legacy storage modes) with enumeration of other apps’ storage or exported ContentProviders, followed by bulk reads/copies from target paths (including shared/external storage) and optional archive/encode then share/upload. Sequence: storage capability/permission gain → target discovery (provider queries, directory listing) → high-volume cross-app data reads from writable/shared paths → archive/encode → exfil/share within a short window.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | android:logcat | Runtime grant or manifest presence for MANAGE_EXTERNAL_STORAGE/READ_EXTERNAL_STORAGE/READ_MEDIA_*; legacy external storage mode detection |
| OS API Execution (DC0021) | android:logcat | QUERY on exported ContentProviders of other packages (content:// |
| File Access (DC0055) | android:logcat | READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data/ |
| File Creation (DC0039) | android:logcat | CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths |
| Field | Description |
|---|---|
| TimeWindowSeconds | Correlation window to tie discovery → reads → package → exfil (e.g., 15–120s). |
| ExternalStoragePathRegex | Regex for cross-app paths on external/shared storage to monitor. |
| SuspiciousProviders | List of exported/weakly-protected content providers under scrutiny. |
| MinBytesRead | Lower bound on cumulative read volume to avoid noisy single-file accesses. |
| ArchiveExtensions | Extensions considered packaging (.zip,.gz,.7z,.tar,.db copies). |
| ExfilDomainAllowlist | Known good CDNs/APIs to reduce false positives. |
| UserContext | Foreground/background, Work Profile, developer mode to scope alerts. |
Defender correlates attempts to access other apps’ data via shared containers (App Groups), Photos/Files providers, pasteboard abuse, or jailbroken cross-container reads, followed by aggregation/packaging and optional exfil/share. Sequence: capability/consent (TCC/entitlements) → target discovery (AppGroup/Photos/Files enumeration, URL schemes) → bulk read from shared/foreign container or provider → package/encode → exfil/share.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | iOS:unifiedlog | Privacy (TCC) prompts/grants for Photos/Files or access changes indicating new visibility into user/app data |
| File Access (DC0055) | iOS:unifiedlog | READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle |
| Application Log Content (DC0038) | iOS:unifiedlog | Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging |
| File Creation (DC0039) | iOS:unifiedlog | CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items |
| Field | Description |
|---|---|
| TimeWindowSeconds | Correlation window for consent/discovery → read → package → exfil (e.g., 20–180s). |
| AppGroupAllowlist | Allowed App Group IDs for each bundle to reduce FPs. |
| ProviderScope | Files/Photos provider collections permitted for the app. |
| MinBytesRead | Lower bound on cumulative read size to signal collection vs casual access. |
| ArchiveExtensions | Packaging extensions to track when aggregating data. |
| ExfilDomainAllowlist | Known-good enterprise domains/CDNs for uploads. |
| UserContext | Foreground/background and Work Profile state to scope analytics. |