The defender correlates proxy-capable network setup or socket-handling behavior with subsequent bidirectional traffic relaying through the same device and app context, especially when inbound client sessions are followed by outbound connections to unrelated remote destinations or when the device sustains multiplexed traffic patterns inconsistent with normal mobile app workflows. The analytic prioritizes Android-observable effects: proxy or raw-socket setup, app background execution, inbound-to-outbound traffic bridging, and sustained relayed flows to multiple destinations without recent user interaction.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase |
| Application Permission (DC0114) | android:MDMLog | Managed app without approved VPN, enterprise tunneling, browser, or remote-access role exhibits proxy-like traffic handling inconsistent with policy baseline |
| Network Traffic Flow (DC0078) | NSM:Flow | App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication |
| Network Traffic Content (DC0085) | NSM:Flow | Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between proxy/socket setup and subsequent inbound-outbound traffic bridging |
| AllowedAppList | Apps legitimately expected to proxy or tunnel traffic, such as enterprise VPN, remote access, security testing, or managed browser apps |
| AllowedDestinationList | Approved remote destinations or service categories for legitimate tunneling applications |
| ForegroundStateRequired | Whether proxy-capable or relayed traffic should occur only during active user-driven workflows |
| RelaySessionThreshold | Minimum number of correlated inbound and outbound session pairs required to indicate relay behavior |
| ByteSymmetryTolerance | Allowed variance between inbound and outbound byte volumes when identifying proxied traffic |
| ConcurrentDestinationThreshold | Maximum expected number of simultaneous unrelated remote destinations for a legitimate app |
| UplinkBytesThreshold | Minimum outbound volume required for relay behavior to be considered meaningful |