Defender correlates an app's opaque media ingress (download/IPC) with high-entropy or anomalous edits to image/audio/video files in app-writable storage (e.g., bursts of bitmap/codec operations, EXIF/IPTC/XMP mutation, suspicious container growth), followed by decoding/extraction behavior (new non-media artifact derived from the edited media) and optional exfiltration/sharing of the stego media. Focus is on: (1) opaque media arrival → (2) rapid metadata or pixel-domain mutations with atypical size/entropy deltas → (3a) decoded payload creation or dynamic load from decoded path, and/or (3b) upload/share of the modified media within a tight window.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app |
| File Modification (DC0061) | android:logcat | INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change |
| File Creation (DC0039) | android:logcat | App UID writes edited media to container paths (e.g., /data/data/ |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max time between media download/ingress, edit, and payload use/share (e.g., 10–120s depending on device performance). |
| PayloadEntropyThresholdMediaSegment | Minimum Shannon entropy for edited media regions or container deltas (e.g., ≥ 7.1) to flag likely embedded payloads. |
| SizeDeltaRatio | Minimum growth ratio between pre/post edit media (e.g., ≥ 1.25) to reduce noise from normal compression. |
| EditBurstWriteCount | Minimum sequential small-write count to indicate chunked embedding or re-encode bursts. |
| SuspiciousMimeTransitions | List of atypical MIME/container transitions (e.g., PNG→JPEG with EXIF injection, WAV→M4A) for local tuning. |
| KnownGoodMediaAppsAllowlist | Trusted editors/camera apps allowed to perform frequent edits without alerting. |
| NetworkCDNAllowlist | CDNs/domains expected to host user media for the enterprise; suppresses FP for legitimate apps. |
| UserContext | Foreground, Work Profile, developer mode flags used to scope analytics. |