Correlates (1) activation of Device Administrator privileges by an application, (2) absence or mismatch of legitimate user interaction during the approval flow, and (3) immediate execution of administrator-level control actions (e.g., password reset, device lock, policy enforcement, prevention of uninstall). The defender observes a causal chain where an application transitions into a privileged device control role and rapidly exercises those capabilities outside expected user-driven patterns.
Application vetting services can check for the string BIND_DEVICE_ADMIN in the application’s manifest.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation |
| Application Permission (DC0114) | android:MDMLog | application granted Device Administrator privilege + abnormal activation pattern (e.g., rapid enablement after install or no recent user interaction) |
| Field | Description |
|---|---|
| TimeWindow | Defines correlation window between Device Admin activation and subsequent privileged actions |
| AllowedAdminApps | Baseline of legitimate applications expected to request Device Administrator privileges (e.g., enterprise MDM agents) |
| UserInteractionThreshold | Defines acceptable timing between user interaction and admin activation |
| PrivilegedActionSet | List of high-risk DevicePolicyManager API actions monitored for abuse |