The defender correlates the arrival, installation, or update of a trusted or expected application with a subsequent deviation in package trust characteristics, permission posture, protected-resource use, framework behavior, or network communication that is inconsistent with the known-good role of that app. The strongest Android evidence is a managed or trusted package whose first-run or post-update behavior introduces unexpected special access, sensitive sensor use, unusual background execution, privileged framework interaction, or outbound communication to destinations outside the app's baseline shortly after installation or update.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | android:MDMLog | Managed or trusted app is newly installed or updated and presents changed package identity, signing relationship, version lineage, installer source, or permission posture inconsistent with approved baseline |
| Application State (DC0123) | MobileEDR:telemetry | Recently installed or updated trusted app begins background execution, persistent service activity, overlay-like behavior, or lock-state activity inconsistent with its historical baseline or expected first-run sequence |
| OS API Execution (DC0021) | MobileEDR:telemetry | Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access |
| File Creation (DC0039) | MobileEDR:telemetry | Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between install/update and subsequent runtime/network effects. |
| AllowedAppList | Approved managed or trusted applications vary by organization and device group. |
| AllowedInstallerSources | Permitted installer source or app delivery mechanism differs by fleet and policy. |
| AllowedSigningBaseline | Expected signing lineage, certificate relationship, or integrity metadata vary by package. |
| ForegroundStateRequired | Some protected-resource use is legitimate only when an app is foregrounded. |
| RecentUserInteractionWindow | Defines how close behavior must be to user interaction to be considered expected. |
| AllowedDestinations | Expected app destinations, CDNs, APIs, and service providers vary by app and tenant. |
Anchor on supervised managed-app install/update or version drift, then correlate with unexpected background activity, managed-app state changes, or egress inconsistent with the app's historical and policy baseline.
| Data Component | Name | Channel |
|---|---|---|
| Application Permission (DC0114) | iOS:MDMLog | Supervised managed app is newly installed or updated and presents unexpected version transition, inventory drift, managed-state change, or app attribute mismatch against approved procurement and release baseline |
| Application State (DC0123) | MobileEDR:telemetry | Recently installed or updated managed app begins background activity, persistent refresh, or lock-state-adjacent activity inconsistent with expected first-run behavior, user interaction timing, or historical baseline |
| OS API Execution (DC0021) | iOS:unifiedlog | Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between app install/update and subsequent lifecycle or network anomalies. |
| SupervisedRequired | Strongest app inventory and managed state analytics depend on supervised iOS devices. |
| AllowedManagedApps | Approved managed app set varies by organization, business unit, and device profile. |
| ExpectedVersionTransitionPolicy | Allowed upgrade paths, release rings, and phased rollout patterns vary by environment. |
| AllowedDestinations | Expected app destinations, enterprise backends, Apple services, and CDNs differ by app. |
| BackgroundRefreshBaseline | Legitimate background activity differs by app category and policy. |
| RecentUserInteractionWindow | Defines how close runtime/network activity must be to user action to be considered expected. |
| UplinkBytesThreshold | Threshold for suspicious post-update outbound transfer volume. |