The defender correlates application loading or invoking native libraries through JNI or NDK-backed execution paths with subsequent lower-level activity such as native thread creation, sensor access, file operations, or outbound network communication that is inconsistent with the app's declared role or recent user interaction. The analytic prioritizes defender-observable control-plane effects: native library load or JNI bridge use, transition into native execution context, and immediate post-load behavior occurring from background state, locked-device state, or non-baselined app categories.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | MobileEDR:telemetry | Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase |
| MobileEDR:telemetry | Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase | |
| Application State (DC0123) | MobileEDR:telemetry | Native library load or JNI-backed execution occurs while app_state=background or device_locked=true or recent_user_interaction=false during the execution phase |
| Application Permission (DC0114) | android:MDMLog | Managed application without approved native-code role or expected high-performance/native dependency exhibits native execution behavior inconsistent with enterprise policy baseline |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between native library load, JNI/native execution, and follow-on behavior |
| AllowedAppList | Apps legitimately expected to use native code, such as games, media, enterprise VPN, security tools, or performance-intensive apps |
| AllowedLibraryPatterns | Expected native library names, paths, signing attributes, or packaging patterns for approved applications |
| ForegroundStateRequired | Whether native execution should only occur during active user-driven workflows for a given app role |
| LibraryPathPatterns | Environment-specific list of suspicious temporary, extracted, or dynamically staged native library locations |
| PostLoadBehaviorThreshold | Minimum number or severity of suspicious actions after native load required to elevate confidence |
| UplinkBytesThreshold | Minimum outbound volume after native execution to treat network activity as meaningful follow-on behavior |