The defender correlates creation or registration of deferred, repeating, or constraint-based background work with later task execution in the same app context, especially when the task executes without recent user interaction, from background state, or with follow-on file, sensor, or network behavior inconsistent with the app's declared role. The analytic prioritizes Android-observable control-plane effects: WorkManager enqueue operations, JobScheduler or AlarmManager scheduling, later wake or execution of the scheduled work, and post-trigger activity such as network sessions, local staging, or sensor access.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase |
| Scheduled Job Creation (DC0001) | MobiledEDR:telemetry | Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between task registration and later execution, and between execution and follow-on behavior |
| AllowedAppList | Apps legitimately expected to use WorkManager, JobScheduler, or AlarmManager such as mail, sync, backup, calendar, or enterprise management apps |
| AllowedConstraintProfiles | Expected charging, network, idle, or timing constraints for legitimate scheduled work |
| AllowedScheduleIntervals | Expected delay or periodic interval ranges for legitimate app behavior |
| ForegroundStateRequired | Whether follow-on activity from a scheduled task should only occur during active user-driven workflows for a given app |
| TriggerToNetworkWindow | Maximum expected delay between scheduled job trigger and outbound communication |
| UplinkBytesThreshold | Minimum outbound volume after scheduled execution to treat network behavior as meaningful |
The defender correlates creation of background scheduler activity with later execution of repeating or deferred work by the same managed app, then raises confidence when the triggered activity produces network, local-write, or other app behavior that occurs outside expected user context. Because iOS exposes weaker direct scheduling observability in many enterprise environments, the analytic anchors first on managed app posture and lifecycle-to-network or lifecycle-to-file effects, with NSBackgroundActivityScheduler-related behavior treated as strongest when runtime telemetry can observe background scheduler usage or execution callbacks.
| Data Component | Name | Channel |
|---|---|---|
| Scheduled Job Creation (DC0001) | MobiledEDR:telemetry | Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger |
| OS API Execution (DC0021) | MobileEDR:telemetry | Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between scheduler creation, later execution, and follow-on file or network behavior |
| AllowedAppList | Managed apps legitimately expected to perform background maintenance or deferred sync behavior |
| AllowedExecutionIntervals | Expected repeating interval or defer window for legitimate background activity |
| ForegroundStateRequired | Whether follow-on behavior from background scheduler execution should require recent user interaction |
| TriggerToNetworkWindow | Maximum expected delay between scheduled execution and outbound communication |
| UplinkBytesThreshold | Minimum outbound volume after scheduled execution to treat network behavior as meaningful |