Correlates (1) a malicious application gaining or using a removal-capable control path, such as device owner or delegated app-management authority, accessibility service control over uninstall UI, or rooted filesystem access, (2) initiation of uninstall or package-removal behavior, and (3) disappearance of the application from installed-state inventory or app runtime immediately afterward, often with a short-lived final burst of local cleanup or outbound communication. The defender observes a causal chain where the application first establishes the ability to remove itself, then triggers uninstall or deletion, and then vanishes from expected app presence while device activity continues.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | application holds device-owner, profile-owner, or delegated app-management authority capable of package removal before uninstall event |
| android:MDMLog | application has accessibility service privileges immediately before package-removal UI flow and subsequent application disappearance | |
| android:MDMLog | device posture indicates rooted, compromised, or non-compliant state before package files disappear without standard managed uninstall workflow | |
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss |
| File Deletion (DC0040) | MobileEDR:telemetry | application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between uninstall-capable control, removal action, and app disappearance |
| RemovalAuthoritySet | Roles or privileges considered capable of enabling silent or assisted uninstall, such as device owner, delegated app-management authority, accessibility, or rooted filesystem access |
| AllowedRemovalApps | Legitimate enterprise or device-management apps allowed to uninstall applications |
| RemovalAttemptSignalSet | Signals used to recognize uninstall initiation, such as package-removal actions, uninstall intent flows, or accessibility-driven confirmation steps |
| DisappearanceThreshold | Maximum time between removal action and loss of installed-state visibility |
| UplinkBytesThreshold | Outbound traffic threshold used to confirm final activity before self-removal |