The defender correlates Android screen-capture-capable behavior from an app identity with runtime context showing that foreground content from another app is being captured outside expected user-driven workflows. The strongest Android evidence is MediaProjection-like capture initiation, accessibility-assisted observation of foreground UI content, or privileged screencap or screenrecord behavior, followed by screenshot or video artifact creation, buffer growth, or outbound transfer. The detection is strengthened when the capturing app is backgrounded, operates as a foreground service without clear user-driven recording intent, captures while another sensitive app is foregrounded, runs with accessibility or elevated access inconsistent with its role, or performs capture without recent user interaction.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow |
| MobileEDR:telemetry | Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow | |
| MobileEDR:telemetry | Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active | |
| Application State (DC0123) | MobileEDR:telemetry | Capturing app remained backgrounded or foreground-service-only while screen capture session occurred and another app was foregrounded during capture interval |
| MobileEDR:telemetry | LastUserInteractionDelta exceeded threshold before screen capture session start and no expected foreground transition or consent-linked interaction occurred during capture interval | |
| MobileEDR:telemetry | Sensitive app category remained foregrounded during screen capture session from different app identity | |
| Application Permission (DC0114) | android:MDMLog | App identity performing screen capture had unapproved accessibility posture, capture-related special access, unmanaged state, or was not approved for screen recording or assistive observation workflows |
| Field | Description |
|---|---|
| TimeWindow | Correlation window linking capture-path invocation, foreground-app context, artifact creation, and optional upload. |
| AllowedAppList | Approved screen-recording, accessibility, remote-support, or QA/testing apps vary by organization and device group. |
| AllowedAccessibilityApps | Approved accessibility-enabled apps vary by assistive and enterprise workflow. |
| AllowedForegroundServiceCaptureApps | Some approved apps may legitimately use foreground services during screen recording. |
| RecentUserInteractionWindow | Defines how close capture initiation must be to user interaction to be considered expected. |
| SensitiveForegroundAppCategories | Categories such as banking, identity, messaging, or enterprise apps may warrant higher sensitivity during capture. |
| ArtifactWriteThreshold | Minimum screenshot/video/cache write volume indicating probable screen-capture output. |
| UplinkBytesThreshold | Threshold for suspicious outbound transfer after capture. |
| ConsentInteractionGracePeriod | Grace period allowed for expected user consent or explicit initiation before capture is treated as suspicious. |