Correlates (1) suppression or disablement of launcher-visible application components or effective reduction of user-facing launcher presence, (2) persistence of installed application state after icon suppression, and (3) continued runtime activity such as background execution, framework use, sensor access, or network communication after the icon becomes unavailable or is replaced by reduced-discoverability launcher behavior. The defender observes a causal chain where an app removes or reduces its launcher visibility while remaining operational and continuing meaningful activity.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | installed application remains present while launcher-visible activity or component discoverability changes to hidden, disabled, or synthesized-settings-entry state prior to later runtime activity |
| OS API Execution (DC0021) | MobileEDR:telemetry | application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between icon suppression and later runtime activity |
| AllowedAppList | Baseline of legitimate apps permitted to reduce launcher visibility, such as managed agents, work-profile utilities, or system applications |
| ForegroundStateRequired | Whether post-suppression behavior is only suspicious when no recent foreground interaction is present |
| SuppressionMode | Environment-specific handling of hidden, disabled, or synthesized launcher behavior depending on Android version and management posture |
| UplinkBytesThreshold | Minimum outbound traffic volume used to distinguish meaningful hidden operation from benign background maintenance |
| SensorAfterSuppressionThreshold | Threshold for sensor access frequency after launcher visibility is reduced |