Correlates (1) changes to application visibility or user-facing presence such as launcher component disablement, icon suppression, or reduced discoverability, (2) continued application execution or privileged framework activity after that visibility reduction, and (3) follow-on behavior such as background network communication, sensor access, or persistence-related state transitions. The defender observes a causal chain where an application becomes less visible to the user while retaining or increasing operational activity.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | managed app inventory or launcher-visible state changes show application remains installed but user-facing entry point or launcher component becomes disabled before later runtime activity |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between visibility suppression and later hidden execution or network activity |
| AllowedAppList | Baseline of legitimate apps allowed to hide launcher presence or disable user-facing components |
| ForegroundStateRequired | Whether post-hide activity is only suspicious when no foreground interaction occurs |
| HiddenComponentThreshold | Threshold for number or type of launcher-visible components disabled before raising suspicion |
| UplinkBytesThreshold | Minimum outbound traffic volume used to distinguish meaningful hidden operation from benign background telemetry |
| SensorAfterHideThreshold | Threshold for sensor access frequency after visibility suppression |