Correlates (1) abnormal application or system resource resolution behavior (e.g., library loading, path resolution, or intent redirection), (2) execution of code or resources not aligned with the originating application’s package identity or expected runtime context, and (3) follow-on execution or network activity originating from the hijacked flow. The defender observes a causal chain where execution is redirected from an expected code path to an alternate resource or payload, resulting in execution under a trusted context but with untrusted origin.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | application launches or executes code where loaded library or component path does not match application package path or expected signing context |
| File Access (DC0055) | MobileEDR:telemetry | application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution |
| Process Creation (DC0032) | MobileEDR:telemetry | application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack) |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between abnormal resource loading and execution/network activity |
| AllowedLibraryPaths | Baseline of expected library/resource load paths per application |
| TrustedSignatureList | Trusted signing identities for application components |
| AllowedAppList | Applications allowed to dynamically load code or use external resources |