Correlates (1) application registration or activation of broadcast receivers tied to system or app-generated intents, (2) event-triggered execution while the application is not in the foreground, and (3) immediate follow-on actions such as network communication or data access. The defender observes a causal chain where an external event (e.g., BOOT_COMPLETED, SMS_RECEIVED, USER_PRESENT, CONNECTIVITY_CHANGE) triggers application execution that bypasses normal user-driven lifecycle expectations, followed by background processing or outbound activity.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events |
| Field | Description |
|---|---|
| TimeWindow | Time correlation window between broadcast event and subsequent execution or network activity |
| SensitiveIntentList | List of broadcast intents considered high-risk (e.g., BOOT_COMPLETED, SMS_RECEIVED) |
| AllowedAppList | Baseline of legitimate applications expected to use broadcast receivers for these intents |
| ForegroundStateRequired | Determines whether execution without foreground presence increases detection confidence |