An application performs repeated symmetric cryptographic operations (e.g., AES/RC4) on collected or staged data using locally accessible or reusable keys, followed by structured outbound communication. Detection correlates symmetric crypto API invocation + key reuse patterns + data staging + background execution context + network transmission, especially when inconsistent with expected application functionality.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage |
| MobileEDR:telemetry | App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers | |
| File Creation (DC0039) | MobileEDR:telemetry | App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission |
| Application State (DC0123) | MobileEDR:telemetry | Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction |
| Application Permission (DC0114) | android:MDMLog | App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality |
| Field | Description |
|---|---|
| TimeWindow | Time correlation between symmetric encryption operations and outbound communication |
| EntropyThreshold | Threshold for detecting encrypted payloads based on entropy scoring |
| KeyReuseThreshold | Number of repeated uses of the same symmetric key within a defined interval |
| AllowedCryptoApps | Apps expected to use symmetric encryption (e.g., messaging, VPN) |
| ForegroundStateRequired | Whether encryption activity should occur only during active user interaction |
| BeaconIntervalVariance | Expected jitter vs periodic encrypted communication |
Indirect evidence of symmetric cryptographic channel usage inferred through repeated structured encrypted network transmissions and background processing patterns, where direct observation of symmetric crypto operations is limited. Detection correlates application background execution + consistent encrypted payload patterns + app entitlement posture to identify misuse of symmetric encryption for command and control.
| Field | Description |
|---|---|
| TimeWindow | Correlation window between background execution and network transmission |
| EntropyThreshold | Threshold for detecting encrypted payloads |
| BeaconIntervalVariance | Tolerance for periodic encrypted communication |
| AllowedAppList | Apps expected to exhibit encrypted communication patterns |