The defender correlates foreground service start or promotion activity with persistent-notification presentation, long-lived application execution, and continued access to while-in-use sensors or network activity outside expected user-driven context. The analytic looks for an application invoking foreground service APIs, sustaining a foreground state longer than expected for its declared role, and retaining camera, microphone, location, or other sensor access while the device is locked, the app lacks recent interaction, or the notification identity/function does not match the application’s behavior.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain |
| Application State (DC0123) | MobileEDR:telemetry | Persistent foreground-service notification is created, updated, or remains visible while app behavior or notification identity is inconsistent with declared function during the persistence interval |
| System Settings (DC0118) | MobileEDR:telemetry | Foreground service continues accessing camera, microphone, location, or other while-in-use sensors after service promotion and outside recent user interaction |
| Field | Description |
|---|---|
| AllowedAppList | Apps legitimately expected to run foreground services such as navigation, fitness, calling, media playback, enterprise VPN, accessibility, or device-management apps |
| AllowedServiceTypes | Approved foreground service types and role-to-type mappings, especially for Android 14+ and later |
| ForegroundDurationThreshold | Duration a foreground service may legitimately remain active before suspicion increases |
| SensorAfterPromotionWindow | Maximum expected delay between service promotion and sensor activation for legitimate workflows |
| NotificationMismatchPatterns | Patterns indicating misleading or impersonating foreground notifications, such as benign-looking text or mismatched app function |
| RecentInteractionThreshold | How recently the user must have interacted with the app for sensor or network activity to be considered expected |
| UplinkBytesThreshold | Minimum sustained outbound volume or beacon frequency during persistent foreground execution |