The defender correlates application registration for system event triggers (e.g., broadcast receivers, WorkManager, JobScheduler, SMS/BOOT events) with subsequent execution of application code immediately following the triggering event, without direct user interaction. Confidence increases when execution occurs in background or locked state, is tied to sensitive triggers (SMS received, boot completed, connectivity change), and produces follow-on file or network activity inconsistent with the application’s expected role.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase |
| Application State (DC0123) | MobileEDR:telemetry | System event occurs (e.g., SMS received, device boot completed, network state changed) acting as trigger event for execution phase |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between event trigger occurrence and execution behavior |
| SensitiveEventList | List of high-risk trigger events such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE, PACKAGE_ADDED |
| AllowedAppList | Applications legitimately expected to use background scheduling or event-driven execution (e.g., messaging, system services) |
| ForegroundStateRequired | Whether execution should only occur during active user interaction for specific app categories |
| ExecutionDelayThreshold | Maximum allowed delay between event trigger and execution to still be considered causal |
| UplinkBytesThreshold | Minimum outbound data volume after event-triggered execution to indicate meaningful activity |