The defender correlates an application establishing outbound retrieval to a non-baselined external source with immediate local creation of a new executable, module, staged payload, overlay asset, or secondary file in app-controlled or shared storage, followed by optional load, invocation, handoff, or repeat retrieval behavior. The analytic prioritizes Android-observable effects: network download activity, DownloadManager or direct HTTP retrieval, file creation in package-specific or external paths, and execution context inconsistent with recent user interaction or the app’s declared role.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase |
| OS API Execution (DC0021) | MobileEDR:telemetry | Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment |
| File Creation (DC0039) | MobileEDR:telemetry | Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer |
| Application State (DC0123) | MobileEDR:telemetry | Ingress transfer and local file creation occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase |
| Application Permission (DC0114) | android:MDMLog | Managed app without approved content-download, update, browser, or file-sync role performs remote payload retrieval and local tool staging |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between remote retrieval, local write, and any follow-on load or transfer completion |
| AllowedAppList | Apps legitimately expected to download files such as browsers, enterprise app stores, backup/sync tools, or content delivery apps |
| AllowedDestinationList | Approved software distribution, CDN, MDM, and enterprise update endpoints |
| AllowedPathList | Expected local download, cache, and update paths for legitimate app behavior |
| IngressBytesThreshold | Minimum inbound transfer size consistent with a staged secondary tool or payload |
| ForegroundStateRequired | Whether file retrieval should occur only during active user-driven workflows |
| FileTypeRiskPatterns | Environment-specific set of retrieved file classes considered suspicious such as apk, dex, jar, so, zip, html overlay, or opaque blob |
The defender correlates managed-app network retrieval from a non-baselined external source with immediate creation of a new local artifact, staged resource, module-like file, or opaque payload inside the app container, followed by optional dynamic loading, handoff, or repeat retrieval behavior. Because iOS offers weaker direct visibility into tool staging internals than Android in many environments, the analytic anchors first on network acquisition plus managed app identity and then strengthens confidence with file creation or process-activity effects where mobile telemetry is available.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase |
| File Creation (DC0039) | MobileEDR:telemetry | Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect |
| OS API Execution (DC0021) | MobileEDR:telemetry | Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation |
| Application State (DC0123) | MobileEDR:telemetry | Ingress retrieval and staging occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase |
| Application Permission (DC0114) | iOS:MDMLog | Supervised managed app without approved update, browser, sync, or enterprise-content role retrieves and stages secondary content inconsistent with policy baseline |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between remote retrieval, local staging, and any follow-on file handling |
| AllowedAppList | Managed apps legitimately expected to download secondary content or updates |
| AllowedDestinationList | Approved content, MDM, enterprise, and application-update endpoints |
| AllowedContainerPatterns | Expected app-container paths for legitimate downloaded assets |
| IngressBytesThreshold | Minimum inbound transfer volume consistent with secondary tool or payload retrieval |
| ForegroundStateRequired | Whether retrieval should happen only in active user-driven workflows |
| ArtifactRiskPatterns | Environment-specific file or content patterns considered suspicious such as staged dylib-like resources, html overlays, archives, or opaque blobs |