Correlates (1) modification or replacement of system runtime libraries or API resolution paths, (2) repeated invocation of hijacked APIs across multiple applications, and (3) inconsistent or suppressed outputs from those APIs compared to expected OS-enforced behavior. The defender observes a causal chain where system-level API behavior is altered, resulting in multiple applications exhibiting consistent anomalies in sensor access, permission checks, or system state reporting.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval |
| MobileEDR:telemetry | device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*) |
| Field | Description |
|---|---|
| TimeWindow | Correlation window across multiple applications invoking affected APIs |
| SensitiveAPISet | Set of APIs monitored for integrity (e.g., location, telephony, permission checks) |
| CrossAppConsistencyThreshold | Number of applications required to exhibit anomalous API behavior to trigger detection |
| ExpectedAPIBaseline | Baseline of expected API return values or behavior patterns per device state |