An application performs explicit cryptographic operations (e.g., symmetric/asymmetric encryption routines) on locally collected or generated data, followed by structured outbound network communication that does not align with expected application behavior, particularly when occurring in the background or without user interaction. Detection correlates crypto API usage + data staging + application state + network transmission patterns.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows |
| File Creation (DC0039) | MobileEDR:telemetry | App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission |
| Application State (DC0123) | MobileEDR:telemetry | Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction |
| Application Permission (DC0114) | android:MDMLog | App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality |
| Field | Description |
|---|---|
| TimeWindow | Time correlation between crypto operation and outbound network transmission |
| EntropyThreshold | Threshold for detecting encoded/encrypted payloads based on entropy scoring |
| AllowedCryptoApps | Apps expected to perform encryption (e.g., VPNs, messaging apps) |
| ForegroundStateRequired | Whether encryption + transmission should only occur during user interaction |
| BeaconIntervalVariance | Expected jitter/interval for legitimate app traffic vs beaconing patterns |
Indirect evidence of application-layer encrypted channel usage inferred through anomalous background processing and network transmission patterns following application activity, where encryption operations are not directly observable. Detection correlates background execution + network behavior + application entitlement posture to identify misuse of encrypted communication channels.
| Field | Description |
|---|---|
| TimeWindow | Correlation window between background processing and network transmission |
| AllowedAppList | Apps expected to use encrypted communication channels |
| EntropyThreshold | Threshold for identifying encoded/encrypted payloads |
| BeaconIntervalVariance | Tolerance for periodic communication patterns |