Defender correlates an app preparing to phish (gaining overlay/notification/accessibility capability) with precise foreground targeting (reading activity in front via accessibility/focus) and then presenting a look-alike UI (overlay window or activity-on-top) immediately before local storage or small-burst egress of entered data. Chain: capability/permission → target app in foreground detected → overlay/activity-on-top or fake notification tap → local prompt input write → near-term network egress.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | android:logcat | Grant/enablement of SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, POST_NOTIFICATIONS for |
| OS API Execution (DC0021) | android:logcat | TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground |
| Application Log Content (DC0038) | android:logcat | addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over |
| Process Creation (DC0032) | android:logcat | startActivity on top of |
| File Creation (DC0039) | android:logcat | CREATE/WRITE to /data/data/ |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time from overlay/activity to persist/exfil (e.g., 5–60s). |
| OverlayRequired | Require overlay evidence unless activity-on-top is observed (true/false). |
| TargetPkgWatchlist | List of high-value target packages (banking, identity) to raise severity. |
| PersistPathRegex | Regex for local prompt data artifacts. |
| ExfilDomainAllowlist | Known-good analytics/CDN/service domains to suppress FPs. |
| UserContext | Work Profile/Kiosk mode/Accessibility allowlist to scope benign cases. |
Defender correlates a look-alike prompt inside an app (e.g., faux Apple ID password view, webview of brand login) with timing against scene/foreground activation, optional push notification bait, then local form cache writes and/or small egress. Chain: scene activation around sensitive UI → suspicious prompt creation (UIKit events without expected auth controller) or webview navigated to look-alike domain → local cache write → near-term egress
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | iOS:unifiedlog | Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields |
| Process Access (DC0035) | iOS:unifiedlog | Scene/foreground transitions for |
| Network Traffic Content (DC0085) | iOS:unifiedlog | WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score) |
| File Creation (DC0039) | iOS:unifiedlog | CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time from prompt to persist/exfil (e.g., 5–60s). |
| LookalikeDomainScore | Threshold for domain visual similarity (e.g., ≥0.85). |
| PersistPathRegex | Regex for credential/form cache artifacts in container. |
| ExfilDomainAllowlist | Enterprise/analytics endpoints to suppress FPs |
| UserContext | MDM policy, Focus mode, foreground requirement. |