From the defender’s perspective, this strategy correlates signals that a previously unprivileged Android app or process has gained higher privileges through exploitation rather than normal OS or MDM flows.
Observable behaviors include:
(1) unprivileged app processes issuing sensitive syscalls or accessing privileged device interfaces,
(2) bursts of SELinux denials followed by an unexpected domain or permission change,
(3) creation of new processes running with system or root UID whose lineage traces back to an app sandbox path, and
(4) crashes or abnormal restarts of privileged system services followed shortly by a new connection or binder interaction from the same low-privileged app. The focus is on unusual privilege transitions, anomalous process ancestry, and OS security policy violations, not on specific exploit binaries or CVE signatures.
| Data Component | Name | Channel |
|---|---|---|
| Host Status (DC0018) | AndroidLogs:Crash | Crash or abnormal restart of privileged system services (for example, system_server, mediaserver, installd) followed shortly by new privileged process activity or binder connections from a single app UID |
| OS API Execution (DC0021) | AndroidLogs:Kernel | Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers) |
| Process Creation (DC0032) | AndroidLogs:Framework | Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/ |
| Field | Description |
|---|---|
| TimeWindow | Correlation window (for example, 60–300 seconds) between SELinux events, crashes, and privilege changes to reduce noise while still capturing exploit chains. |
| AppUidRange | UID ranges that represent unprivileged application accounts in a specific Android OEM or enterprise deployment. |
| SensitiveSyscalls | List of syscalls considered indicative of privilege escalation attempts; may vary by kernel version, OEM drivers, and threat model. |
| PrivilegedServices | Set of high-value Android system services where crashes or restarts are particularly suspicious (for example, system_server, mediaserver). |
| PrivilegedUids | Enterprise-defined mapping of UIDs considered elevated (for example, root, system, radio) for alert scoping. |
Correlates app sandbox escape attempts via unsigned binary execution, mmap memory permission changes (RWX), and sandbox profile violations. Detection chain includes app leveraging JIT/JSC to execute shellcode or triggering kernel exploit via crafted IOKit or Mach port abuse.
| Data Component | Name | Channel |
|---|---|---|
| Host Status (DC0018) | iOS:unifiedlog | code signature validation failure / exec of invalidly-signed payload from sandboxed app |
| API Calls (DC0112) | iOS:unifiedlog | mmap with PROT_EXEC and PROT_WRITE by sandboxed app |
| Field | Description |
|---|---|
| ExecutableHashAllowList | Allowlist known benign unsigned binaries for reducing FP. |
| RWXThreshold | Adjustable threshold for RWX page allocation frequency or size. |
| JITContextDetection | May require tuning based on OS version and legitimate app usage (e.g., Safari JIT). |