Correlates (1) application acquisition or use of elevated control paths capable of altering defensive tooling or protected system state, such as device administration, root-enabled modification, or security-setting manipulation, (2) direct changes to security-tool configuration, service state, package state, or protected enforcement settings such as SELinux-relevant files or security-app components, and (3) immediate degradation, suppression, or disappearance of expected security telemetry while the device and initiating application remain active. The defender observes a causal chain where a security control is modified first, then monitoring or protection weakens, and subsequent activity continues under reduced defensive visibility.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | device posture changes to rooted, non-compliant, weakened security state, or elevated control role becomes active before security-tool degradation |
| android:MDMLog | security-relevant application package state, enabled status, administrator state, or managed protection setting changes immediately before monitoring degradation | |
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss |
| File Creation (DC0039) | MobileEDR:telemetry | application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between security-setting change, tool degradation, and subsequent continued activity |
| CriticalToolSet | Security-relevant applications or components expected to remain enabled and reporting, such as mobile EDR, Play Protect-associated controls, or agent services |
| TelemetryGapThreshold | Duration or volume threshold defining abnormal loss of expected security telemetry |
| ProtectedSettingSet | Protected settings or files treated as suspicious if modified, including SELinux-relevant enforcement state or security-app configuration |
| AllowedAdminApps | Legitimate applications or management agents allowed to modify security-relevant posture |
| UplinkBytesThreshold | Outbound traffic threshold used to confirm continued meaningful activity during reduced defensive visibility |