The defender correlates recent access to locally collected or protected data with subsequent compression, packaging, or encryption behavior inside the same app context, followed by creation of archive-like or high-entropy output and optional near-term network transmission. The analytic prioritizes Android runtime and storage effects: application data access or sensor-derived collection, compression/encryption framework use, archive/blob creation in app-accessible storage, and background or device-locked execution inconsistent with the app’s declared function.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | MobileEDR:telemetry | Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity |
| MobileEDR:telemetry | Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity | |
| OS API Execution (DC0021) | MobileEDR:telemetry | Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain |
| MobileEDR:telemetry | Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer | |
| Application Permission (DC0114) | android:MDMLog | Managed application with no declared backup, sync, export, or media-editing role performs bulk local packaging or encrypted archive generation |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between data access, package creation, encryption, and optional network upload |
| AllowedAppList | Apps legitimately expected to package local data such as backup, cloud sync, file manager, or media editing apps |
| AllowedPathList | Expected storage paths for legitimate archives, exports, or caches |
| ForegroundStateRequired | Whether packaging/export behavior should occur only during active user-driven workflows |
| BurstReadThreshold | Number of files or records read in a short interval before archive creation |
| ArchiveSizeThreshold | Minimum output size for suspicious packaged blob or archive |
| EntropyThreshold | Threshold for identifying encrypted or heavily compressed output |
| UplinkBytesThreshold | Minimum upload size consistent with recent archive creation |
The defender correlates managed-app data access and lifecycle context with indirect evidence of packaging or encryption prior to outbound transfer. Because direct archive/compression visibility is generally weaker on iOS, the analytic anchors on app lifecycle state, file/output effects observable by mobile EDR where available, managed app role via MDM, and downstream network uploads that closely follow creation of new large or high-entropy local artifacts. Confidence is lower when only network effects are available.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | iOS:MDMLog | Supervised managed app without expected export, backup, or sync role performs local data staging behavior followed by opaque upload activity |
| Application State (DC0123) | MobileEDR:telemetry | Managed app enters background-capable execution or resumes processing immediately before archive-like file creation or upload behavior |
| OS API Execution (DC0021) | MobileEDR:telemetry | Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload |
| File Creation (DC0039) | MobileEDR:telemetry | Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between lifecycle event, local package creation, and upload |
| AllowedAppList | Managed apps expected to archive, export, or synchronize data |
| AllowedDestinationList | Approved cloud, enterprise, or sync endpoints for legitimate exports |
| ForegroundStateRequired | Whether packaging or export should occur only during active user interaction |
| ArchiveSizeThreshold | Minimum size for suspicious local package or blob |
| EntropyThreshold | Threshold for identifying encrypted or compressed staged output |
| UplinkBytesThreshold | Minimum outbound volume consistent with recently created archive |