Defender correlates a sandboxed app writing high-entropy or encoded artifacts (often in app-private or shared storage), performing decode/decompress/reassembly, then dynamically loading/execing the resulting code (DexClassLoader/JNI dlopen) or spawning a helper process. Sequence: high-entropy file writes → decode/unpack bursts → new .dex/.so/.jar creation in temp/obfuscated paths → dynamic load or shell spawn within a tight window.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | android:logcat | App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data/ |
| Module Load (DC0016) | android:logcat | DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file |
| android:logcat | Short burst of file I/O followed by JNI/dlopen of a newly created .so | |
| API Calls (DC0112) | android:logcat | SELinux AVC related to execute_no_trans/execmem after decode/unpack activity by the same app UID |
| Network Traffic Content (DC0085) | NSM:Flow | TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max interval to correlate write→decode→load stages (e.g., 5–60s depending on device performance). |
| PayloadEntropyThreshold | Shannon entropy threshold to flag likely obfuscated blobs (e.g., ≥ 7.2). |
| SuspiciousWriteDirs | Directories to monitor (e.g., app /files, cache, /sdcard/Download). OEMs vary. |
| ChunkCountThreshold | Minimum count of small sequential writes (split payload reassembly). |
| NetworkCDNAllowlist | Benign CDNs/hosts for large opaque downloads to reduce FPs. |
| ExecPathRegex | Regex for newly loaded .dex/.so/.jar/temp artifacts. |
| UserContext | Foreground/background or developer mode context to suppress test noise. |
Defender correlates a sandboxed app downloading or receiving opaque/encoded blobs, writing high-entropy content into container/tmp, performing decode/decompress/reassembly, and then executing/loaded as Mach-O or bundle (dlopen) or leveraging JIT/RWX pages to run the decoded payload. Sequence: opaque download or IPC → high-entropy writes/split-file bursts → decode/unarchive → new Mach-O/bundle in tmp → dlopen/posix_spawn or RWX region activity.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | iOS:unifiedlog | NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application/ |
| Process Access (DC0035) | iOS:unifiedlog | Code signing validation events referencing newly written local Mach-O/bundle prior to exec or dlopen |
| Module Load (DC0016) | iOS:unifiedlog | dyld: dlopen/dyld_cache load from non-standard app-writable path |
| Network Traffic Content (DC0085) | iOS:unifiedlog | Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode |
| OS API Execution (DC0021) | iOS:unifiedlog | mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files |
| Field | Description |
|---|---|
| TimeWindowSeconds | Max interval to link write→decode→load/exec (e.g., 5–45s depending on device and iOS version). |
| PayloadEntropyThreshold | Entropy threshold to consider a file obfuscated/packed (e.g., ≥ 7.3). |
| SplitWriteBurstMin | Minimum count of small sequential writes to flag reassembly behaviors. |
| AppContainerPaths | Container subpaths to monitor (tmp, Library/Caches, Documents) vary by policy. |
| KnownGoodBundles | Allowlist of legitimate dynamically loaded bundles/plugins to reduce FPs. |
| PerAppVPNAllowlist | Known enterprise services carrying opaque archives to avoid false alerts. |