Correlates (1) application interaction with elevation control mechanisms (e.g., Accessibility Service, Device Admin, overlay permissions, package installer flows), (2) rapid transition to elevated capability state without expected user interaction patterns, and (3) immediate privileged actions such as sensor access, UI manipulation, or background persistence. The defender observes a causal chain where an application gains elevated privileges through abuse of system-controlled consent flows and subsequently performs actions inconsistent with normal user-driven authorization.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | application granted high-risk permission or special access (AccessibilityService, SYSTEM_ALERT_WINDOW, DeviceAdmin) with abnormal grant pattern (e.g., no recent user interaction or rapid sequence of grants) |
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant |
| Field | Description |
|---|---|
| TimeWindow | Defines correlation window between permission grant and privileged behavior |
| HighRiskPermissionSet | List of permissions or access types considered high-risk (Accessibility, Device Admin, overlay) |
| UserInteractionThreshold | Defines acceptable proximity of user interaction to permission grant |
| AllowedAppList | Baseline of legitimate apps expected to use high-risk permissions |