Correlates (1) application-driven modification of device security posture or monitoring capability (e.g., accessibility abuse, disabling security app components, altering monitoring configuration), (2) immediate degradation or cessation of expected telemetry sources such as mobile EDR, sensor visibility, or system monitoring, and (3) subsequent application activity continuing with reduced observability. The defender observes a causal chain where defensive visibility or enforcement is altered first, followed by continued execution under reduced monitoring conditions.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | change to security-relevant device configuration or managed policy (e.g., accessibility enablement, app admin changes, security service state change) preceding telemetry degradation |
| Application State (DC0123) | MobileEDR:telemetry | ecurity or monitoring application transitions to disabled, inactive, or non-reporting state while other applications remain active |
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between configuration change, telemetry degradation, and subsequent activity |
| ExpectedTelemetrySources | Baseline set of telemetry sources expected to report continuously (EDR, sensor feeds, monitoring services) |
| TelemetryGapThreshold | Duration or volume threshold defining abnormal loss of telemetry |
| AllowedAppList | Applications legitimately capable of modifying device configuration or security posture |
| CriticalControlSet | Set of security-relevant controls considered high-impact if altered (EDR, accessibility, admin APIs) |
| UplinkBytesThreshold | Outbound traffic threshold used to confirm continued activity during telemetry loss |