The defender correlates anomalous application package replacement, update, or executable-content drift with subsequent execution under the trusted application's identity, especially when package metadata, signing lineage, install source, file integrity, or native/DEX component characteristics change without a corresponding trusted distribution path. The analytic prioritizes Android-observable control-plane effects: package install/update events, package hash or code-section drift, signer mismatch or lineage break, unexpected app process behavior after replacement, and optional near-term network or sensor activity inconsistent with the legitimate application's baseline.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | Managed application package version, signer lineage, installer source, or app identity changes outside approved enterprise or store-mediated update workflow |
| OS API Execution (DC0021) | MobileEDR:telemetry | Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase |
| File Creation (DC0039) | MobileEDR:telemetry | APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement |
| Application State (DC0123) | MobileEDR:telemetry | Modified or newly replaced application begins execution or persists while recent_user_interaction=false or device_locked=true or launch context is inconsistent with expected user-driven update flow |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between package replacement, code drift, first launch, and follow-on behavior |
| AllowedAppList | Applications legitimately expected to update frequently or use staged package delivery |
| ApprovedInstallerSources | Expected install or update sources such as managed store, Google Play, or enterprise MDM |
| AllowedSignerLineage | Approved signing certificates, rotation chains, and version lineage for managed apps |
| AllowedPackagePaths | Expected package cache, installer, and app storage locations involved in legitimate updates |
| IntegrityDriftThreshold | Degree of executable-content or metadata change tolerated before alerting |
| ForegroundStateRequired | Whether package replacement and first launch should occur only during active user-driven workflows |
| UplinkBytesThreshold | Minimum outbound volume after first execution of replaced app to treat post-compromise communication as meaningful |