An application with access to broad file scopes or sensitive storage areas becomes active, performs abnormal burst file reads and writes across many user or shared-storage locations, transforms file content or extensions at scale in a short window, and causes rapid file inaccessibility, rewrite, or replacement inconsistent with normal sync, backup, media processing, or document-editing behavior. The defender correlates capability state, app lifecycle, framework use, bulk file-write effects, and optional network communications to distinguish encrypt-for-impact behavior from benign bulk file operations.
| Data Component | Name | Channel |
|---|---|---|
| Protected Configuration (DC0115) | android:MDMLog | Managed storage, backup, enterprise file access, or device policy state remains unchanged while bulk destructive file transformation occurs |
| Application Permission (DC0114) | MobileEDR:telemetry | Application holds or is granted broad storage, document-provider, media, or file-management capability inconsistent with its expected role before or during bulk file transformation |
| Application State (DC0123) | MobileEDR:telemetry | Application runs in foreground, service, or sustained background-active state while concentrated file transformation occurs with weak or no recent user interaction |
| OS API Execution (DC0021) | MobileEDR:telemetry | Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation |
| Field | Description |
|---|---|
| TimeWindow | Maximum correlation span between app activation, framework use, and burst file transformation. |
| AllowedAppList | Approved apps allowed to perform legitimate broad file operations such as backup, sync, AV scanning, enterprise migration, media editing, or document management. |
| ForegroundStateRequired | Whether a benign bulk file operation is expected to occur only while the app is visible and actively used. |
| RecentUserInteractionWindow | Threshold for determining whether large-scale file transformation was user-driven versus unattended. |
| FileWriteBurstThreshold | Threshold for number of file create, overwrite, rename, or replace actions within the correlation window. |
| DistinctDirectoryThreshold | Threshold for number of distinct folders or content roots touched during the file-impact burst. |
| ExtensionChangeThreshold | Threshold for suspicious file extension changes or replacement-file patterns indicative of mass transformation. |
| BytesWrittenThreshold | Threshold for cumulative bytes written during the impact window. |
| ProtectedPathAllowList | Known paths, document roots, or work-profile storage locations where benign enterprise migration or sync tooling may rewrite many files. |
| DestinationAllowList | Expected network destinations contacted by legitimate storage, sync, backup, or MDM remediation apps. |