A legitimate-seeming application or update is installed through an expected or previously trusted path, but shortly after first run or update the application exhibits new runtime behavior, sensor use, file staging, or network communications inconsistent with its historical baseline, documented role, or prior version. The defender specifically looks for behaviors commonly introduced by compromised third-party libraries or manipulated build tooling, such as unexpected background service activation, first-seen framework use, new permissions exercised, novel network destinations, or dropped local artifacts not aligned to the app's expected function.
| Data Component | Name | Channel |
|---|---|---|
| Protected Configuration (DC0115) | android:MDMLog | Managed app distribution, enterprise catalog trust, and update policy remain expected while a known package exhibits materially different post-install or post-update behavior |
| Application Permission (DC0114) | android:MDMLog | Known application version declares, gains, or first exercises storage, communications, accessibility, advertising, analytics, overlay, or sensor-adjacent capability inconsistent with prior version baseline or business role |
| Application State (DC0123) | android:MDMLog | Newly installed or updated application launches background service, becomes active without recent user interaction, or executes immediately after update in a pattern inconsistent with baseline |
| OS API Execution (DC0021) | MobileEDR:telemetry | Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update |
| Field | Description |
|---|---|
| TimeWindow | Maximum span between install/update or first launch and the first suspicious behavior drift. |
| AllowedAppList | Apps legitimately expected to add services, libraries, or destinations because of approved releases. |
| AllowedVersionChangeWindow | Grace period after an approved release during which limited behavior drift may be expected. |
| CapabilityDriftThreshold | Threshold for how many new permissions or capabilities are tolerated before behavior is considered suspicious. |
| SensorDriftThreshold | Threshold for newly used sensors or privacy-sensitive resources that are tolerated for a known app. |
| ForegroundStateRequired | Whether certain framework or sensor behaviors should only be treated as suspicious when they occur without visible user interaction. |
| RecentUserInteractionWindow | Time threshold for distinguishing autonomous post-update execution from normal first-run user activity. |
| DestinationAllowList | Expected domains, CDNs, telemetry services, or APIs associated with approved app updates and known SDKs. |
| BehaviorBaselinePopulation | Devices, versions, or user cohorts used to define normal behavior for the app. |
A legitimate-seeming app or update arrives through an expected or trusted distribution path, but the delivered application begins showing new entitlement exercise, background activity, framework use, sensor access, or network behavior inconsistent with its prior baseline or documented role. Because direct inspection of compromised dependencies or developer tooling is weaker on iOS, the defender emphasizes supervised-device app inventory, post-update behavior drift, new first-run or background patterns, and downstream communications that suggest compromised embedded libraries or manipulated build outputs.
| Data Component | Name | Channel |
|---|---|---|
| Protected Configuration (DC0115) | iOS:MDMLog | Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change |
| Application Permission (DC0114) | iOS:MDMLog | Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role |
| Application State (DC0123) | MobileEDR:telemetry | Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction |
| OS API Execution (DC0021) | MobileEDR:telemetry | Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update |
| Field | Description |
|---|---|
| TimeWindow | Maximum span between install/version change and first suspicious post-delivery behavior. |
| SupervisedOnly | Whether the analytic should only apply to supervised devices with high-confidence managed app telemetry. |
| AllowedAppList | Approved apps expected to change capabilities, services, or destinations because of legitimate releases. |
| AllowedVersionChangeWindow | Grace period after an approved release during which limited behavior drift may be expected. |
| CapabilityDriftThreshold | Threshold for how much entitlement or capability drift is tolerated for a known app. |
| SensorDriftThreshold | Threshold for newly used sensors or privacy-sensitive resources tolerated for a known app. |
| ForegroundStateRequired | Whether certain behaviors should only be treated as suspicious when they occur without visible user interaction. |
| RecentUserInteractionWindow | Threshold for distinguishing autonomous post-update activity from normal user-driven first-run behavior. |
| DestinationAllowList | Expected domains, telemetry services, or APIs associated with approved app updates and known SDK behavior. |