Defender observes an app (package/UID) repeatedly querying device networking context APIs (Wi-Fi scan results/current SSID/BSSID, Bluetooth device discovery, or cellular tower lists) at a rate or timing inconsistent with the app’s normal UX, often while backgrounded. Correlate API calls with permission usage (fine location, nearby devices/Bluetooth) and concurrent connectivity probes (DNS lookups/ARP/port reachability) to distinguish automated discovery from user-initiated settings checks. The detection is based on observed API execution + permission use + rate/sequence, not the specific API method name.
| Data Component | Name | Channel |
|---|---|---|
| Host Status (DC0018) | android:appops | ACCESS_FINE_LOCATION|NEARBY_DEVICES|BLUETOOTH_SCAN used in close proximity to network-context queries |
| OS API Execution (DC0021) | android:logcat | wifiservice startScan / scanResults retrieved repeatedly or by unexpected package |
| android:logcat | bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package | |
| android:logcat | telephony cell info enumeration bursts (neighboring/all cell info) by package | |
| Network Traffic Content (DC0085) | NSM:Flow | burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans |
| Field | Description |
|---|---|
| TimeWindowSeconds | Correlation window to link scan/enumeration API usage with subsequent probes (e.g., 30–300s). |
| MinScanCalls | Minimum number of scan/enumeration calls per window before flagging (e.g., ≥3 Wi-Fi scans / 5 min). |
| MinUniqueTargets | For Bluetooth/cell, minimum unique devices/towers observed per window (helps avoid single-device noise). |
| BackgroundOnly | Require app to be backgrounded during discovery to suppress legitimate UI-driven network selection. |
| AllowlistedPackages | Packages expected to scan (system settings, Wi-Fi managers, MDM, enterprise connectivity tools). |
| LocationPermissionRequired | If true, require AppOps noteOp for fine location/nearby devices to reduce false positives. |
| LocalProbeCIDRs | CIDR ranges considered 'local discovery' targets (e.g., 192.168.0.0/16, 10.0.0.0/8). |