From the defender view: a sandboxed process receives/creates a high-entropy Mach-O/bundle or encrypted segment, performs in-memory decrypt/unpack (mmap/mprotect RW→RX or RWX), optionally drops a transient image in app-writable dirs, then loads it through dyld/dlopen or spawns it. We correlate: (1) opaque blob write/arrival → (2) kernel memory protection changes → (3) dyld/dlopen from app-writable path or posix_spawn of a recently created image → (4) (optional) code-sign evaluation anomalies for the new image.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | iOS:unifiedlog | Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application/ |
| OS API Execution (DC0021) | iOS:unifiedlog | mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files |
| Module Load (DC0016) | iOS:unifiedlog | dlopen/image load from app-writable path (tmp, Caches) outside bundled resources |
| Field | Description |
|---|---|
| TimeWindowSeconds | Correlation window from write→rwx→load/exec (e.g., 5–45s). |
| PayloadEntropyThreshold | Entropy to flag packed blobs (e.g., ≥ 7.3). |
| RWXPageMinKB | Minimum RWX allocation size (e.g., ≥ 32KB). |
| KnownJITAllowlist | Bundle IDs legitimately using JIT to avoid RWX false positives. |
| WritableLoadPathRegex | Regex for app-writable load paths (tmp, Caches) outside app bundle. |
| UnsignedExecPolicy | Tuning if enterprise/dev provisioning allows non-App Store binaries. |
From the defender view: a sandboxed app handles a high-entropy executable blob, performs rapid decode/decrypt in memory (often with RW→RX or execmem friction), optionally emits a transient .dex/.so into app-writable paths, then immediately loads/executes it (DexClassLoader/dlopen) or spawns a helper. We correlate: (1) opaque blob write/arrival → (2) decode/unpack or memory protection change → (3) new code artifact or byte[] class definition → (4) dynamic load/exec within a tight window.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | android:logcat | Create/write of high-entropy files in /data/data/ |
| Module Load (DC0016) | android:logcat | DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload |
| OS API Execution (DC0021) | android:logcat | SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID |
| Process Creation (DC0032) | android:logcat | dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process |
| Field | Description |
|---|---|
| TimeWindowSeconds | Correlation window from write→unpack→load (e.g., 5–45s; device-dependent). |
| PayloadEntropyThreshold | Entropy to flag packed blobs (e.g., ≥ 7.2). |
| RWXPageMinKB | Minimum RWX allocation size to reduce noise (e.g., ≥ 32KB). |
| ExecPathRegex | Regex for suspicious .dex/.so/.jar/temp paths under app container. |
| KnownGoodLoadersAllowlist | Legit libraries/bundles expected to load from writable paths (test/dev builds). |
| UserContext | Foreground/background, Work Profile, developer mode to scope alerts. |