The defender correlates call-control capability or telecom role state with subsequent unauthorized call initiation, answer, block, redirect, or concealment behavior by an application outside expected telephony workflows. The analytic prioritizes Android-observable control-plane effects: dangerous or role-gated call-control permissions, default dialer or ConnectionService-related role changes, telecom framework invocation for call placement or handling, write activity against call-log records, and call-control activity occurring from background or locked-device context without recent user interaction.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | Managed app granted call-control-relevant permissions or telecom role state inconsistent with approved enterprise function before call-control activity |
| android:MDMLog | Default phone or telecom-handling role changes to non-baselined application or managed app unexpectedly becomes dialer/call-handling app during call-control phase | |
| OS API Execution (DC0021) | MobileEDR:telemetry | Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase |
| File Modification (DC0061) | MobileEDR:telemetry | Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between permission or role state, call-control action, call-log mutation, and follow-on network communication |
| AllowedAppList | Apps legitimately expected to initiate or manage calls, such as default dialers, carrier tools, enterprise communications apps, or approved call-screening apps |
| AllowedDialerRoles | Approved packages allowed to become default dialer or telecom-managing app on managed devices |
| AllowedDestinationList | Approved network destinations associated with legitimate VoIP, carrier, or enterprise communications workflows |
| ForegroundStateRequired | Whether call-control actions should occur only during active user-driven workflows |
| CallLogModificationThreshold | Number of call-log insert, update, or delete operations within a short interval required before alerting |
| CallActionRateThreshold | Maximum expected rate of call placement, answer, redirect, or block actions for legitimate app behavior |
| HighRiskNumberPatterns | Environment-specific list of suspicious, premium-rate, or adversary-known phone-number patterns |