Correlates (1) continuous or repeated use of motion or interaction-inference signals that do not require overt user-facing privilege prompts, (2) suppression of higher-risk behavior while user presence or active handling is inferred, and (3) resumption of background execution, sensor use, local data handling, or network activity only when device interaction falls below a threshold. The defender observes a causal chain where an application senses user/device interaction state and intentionally gates malicious behavior to user-inactive periods.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence |
| Application State (DC0123) | MobileEDR:telemetry | application reduces or halts operational activity during periods of active user interaction and resumes background execution or periodic work only during low-motion or idle intervals |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between motion-state inference and subsequent deferred execution |
| IdleThreshold | Threshold defining when device motion or interaction is considered low enough to permit hidden execution |
| InteractionSignalSet | Environment-specific set of motion or activity signals used to infer user presence |
| AllowedAppList | Baseline of legitimate applications expected to use motion or activity sensing while also conditionally changing behavior |
| ForegroundStateRequired | Whether suspiciousness increases when deferred activity starts from background or with no recent foreground interaction |
| UplinkBytesThreshold | Minimum outbound traffic threshold used to distinguish meaningful deferred operation from benign maintenance traffic |