A defender correlates an application being granted accessibility service control with subsequent consumption of high-volume accessibility events, interaction with sensitive UI elements or text-entry fields, optional overlay/window presentation over other applications, and near-term local buffering or outbound network transmission, indicating abuse of accessibility features for input capture, credential theft, or automated interaction.
| Data Component | Name | Channel |
|---|---|---|
| System Settings (DC0118) | MobileEDR:telemetry | Application remains backgrounded while accessibility service continues to receive events or perform actions across other foreground apps |
| OS API Execution (DC0021) | MobileEDR:telemetry | Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity |
| Field | Description |
|---|---|
| AllowedAccessibilityApps | Allow-list of sanctioned accessibility-enabled apps in the environment, such as screen readers or approved assistive tools. |
| AccessibilityEventRateThreshold | Threshold for event volume or sustained event consumption indicating broad UI monitoring rather than limited assistive use. |
| SensitiveFieldCorrelationRequired | Determines whether detection should require correlation to text-entry fields, login screens, or password/credential UI contexts. |
| OverlayCorrelationWindow | Time window correlating accessibility activity with overlay/window presentation over other apps. |
| AccessibilityToNetworkWindow | Time window linking accessibility event capture or text change activity to outbound network communication. |
| BackgroundServiceAllowed | Tuning for whether background accessibility service activity is expected for approved assistive tools. |
| UplinkBytesThreshold | Minimum outbound byte volume or burst count considered suspicious after accessibility event capture. |