Defender observes an app (package/UID) repeatedly retrieving network interface configuration attributes (local IP/MAC/interface names, active network capabilities, link properties, proxy/DNS settings, or carrier identifiers when permitted) in a short time window, without corresponding user network-management activity. The pattern is characterized by OS API execution for interface/config reads combined with background state, permission/role context (e.g., device owner/profile owner/carrier/default-SMS), and optional follow-on connectivity tests (gateway/DNS/proxy reachability). Correlate across API execution + app state + (optional) local probe to identify automated network configuration discovery rather than routine connectivity checks.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | Application Vetting | None |
| Field | Description |
|---|---|
| TimeWindowSeconds | Window to correlate config reads with app state and optional connectivity tests (e.g., 30–300s). |
| MinConfigReadEvents | Minimum number of network-config read signals before flagging (environment dependent; e.g., ≥10/5m). |
| BackgroundOnly | If true, require the app to be backgrounded to reduce legitimate network UI/diagnostic activity. |
| AllowlistedPackages | Connectivity/security/MDM apps expected to query network configuration frequently. |
| PrivilegedRoleFilter | If true, elevate severity when an app with device-owner/profile-owner/carrier roles performs bursts. |
| LocalProbePorts | Ports considered 'connectivity tests' (e.g., 53, 80, 443, 8080, 3128) – tune per environment. |
| NetworkChangeSuppressionSeconds | Suppress alerts shortly after legitimate network transitions (Wi-Fi join, VPN connect) to reduce noise. |
Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | Application Vetting | None |