Correlates (1) device posture changes indicating root or elevated privilege state, (2) runtime framework manipulation or injection into application processes, and (3) anomalous API behavior or suppressed security signals. The defender observes a causal chain where an application gains privileged execution context, interacts with system frameworks (e.g., ART/Zygote), and modifies expected API outputs or suppresses security-relevant signals such as permission checks, sensor access reporting, or process visibility.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | device transitions to non-compliant state + root detected or integrity attestation failure (SafetyNet/Play Integrity) |
| OS API Execution (DC0021) | MobileEDR:telemetry | application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior |
| Field | Description |
|---|---|
| TimeWindow | Defines correlation window between root detection, runtime manipulation, and anomalous API behavior |
| AllowedAppList | Baseline of known applications that legitimately use instrumentation or debugging frameworks |
| ForegroundStateRequired | Determines whether suspicious API manipulation must occur in background to increase fidelity |
| IntegritySignalSource | Defines which attestation signals (Play Integrity, OEM attestation) are trusted in the environment |