USB Connection Detection

Overview

USB Connection Detection monitors active USB data-transfer connections in real time and triggers a configurable response when the Android device is connected to a USB host in any data-capable mode. This control enables applications to detect when users connect their devices to computers or forensic equipment that could extract data, execute ADB commands, or perform packet capture.

Unlike charge-only USB connections (which are benign), data-transfer modes enable file access, debugging interfaces, or network tethering capabilities that pose security risks. This control continuously monitors the system's USB state and fires only when data-capable modes are active.

How It Works

The control registers a broadcast receiver for Android's android.hardware.usb.action.USB_STATE intent, a system-protected broadcast that fires whenever USB connection state changes. When a USB cable is connected, the intent includes boolean extras indicating which USB functions are active.

Detection Logic

The control evaluates the following USB function flags in the broadcast intent extras:

If the device is connected (connected=true) AND any of these function flags is true, the control triggers the configured response. Pure charge-only connections (no function flags set) do not fire.

State Tracking

The control includes intelligent state management:

• Initial Check: On startup, the control processes the sticky broadcast returned by registerReceiver(), immediately detecting any existing USB data connection
• Continuous Monitoring: The broadcast receiver fires on every USB state change (connect, disconnect, mode change)
• Automatic Reset: When the USB cable is disconnected (connected=false), the response latch resets, allowing the alert to fire again on the next data-mode connection

Modes Detected

High-Risk Modes

MTP (Media Transfer Protocol) and PTP (Picture Transfer Protocol) grant the connected USB host full read/write access to the device's storage or camera roll. An attacker with physical access can:

• Browse and extract files, photos, videos, and documents
• Upload malicious files to the device
• Analyze app data directories (if visible)

ADB (Android Debug Bridge) is the most dangerous mode, enabling:

• Remote shell command execution (adb shell)
• Application debugging and memory inspection
• Backup extraction (adb backup)
• APK installation and uninstallation
• Port forwarding for tunneling traffic

Moderate-Risk Modes

RNDIS and NCM (USB Tethering) share the device's mobile data connection with the USB host. While seemingly benign, these modes enable:

• Man-in-the-middle packet capture of all device traffic
• DNS spoofing and traffic redirection
• Inspection of unencrypted HTTP requests
• Monitoring of app network activity

MIDI is the lowest-risk mode, used for connecting musical instruments. While typically benign, it represents an active data connection and is included for completeness.

Threats Mitigated

• Data Exfiltration via File Access: MTP/PTP modes allow attackers to copy sensitive files, photos, and documents from the device's storage
• Forensic Acquisition: Law enforcement or malicious actors can use MTP to create complete images of accessible storage for offline analysis
• ADB-Based Attacks: ADB access enables remote command execution, app debugging, backup extraction, and privilege escalation attempts
• Network Traffic Interception: RNDIS/NCM tethering allows packet capture and man-in-the-middle attacks on device communications
• Insider Threats: Detects when employees or users connect corporate/sensitive devices to unauthorized computers

Response Type

This is a response control—it does not block or prevent USB connections (which would break legitimate charging and accessories). Instead, it:

• Detects the data-capable USB connection in real time
• Alerts the user via a configured modal prompt (title, message, buttons, actions)
• Logs the event with telemetry for backend security analytics
• Enables your application to take custom actions (close sensitive screens, lock the app, notify administrators, etc.) via the configured button actions

The response is idempotent per connection: the alert fires once when the data mode is detected and will not fire again until the cable is disconnected and reconnected.

Use Cases

Enterprise & MDM

• Alert employees when they connect work devices to personal computers
• Enforce corporate policies restricting USB data transfers
• Log USB connection events for compliance auditing
• Trigger remote wipe or lockdown on policy violation

Financial Services

• Detect when banking or trading apps are connected to potentially compromised machines
• Warn users about USB-based forensic attacks during ATM or kiosk usage
• Prevent data extraction from devices used for financial transactions

Healthcare (HIPAA Compliance)

• Alert healthcare workers when patient data devices are connected to unauthorized systems
• Enforce USB access policies for devices containing PHI
• Create audit trails of USB data-access events

High-Security Applications

• Detect forensic tool connections targeting government or classified data
• Alert users to ADB debugging attempts by malicious actors
• Prevent data exfiltration during device seizure scenarios

Support Matrix

How to Enable the Control

Navigate to Detection & Response from the AppTego portal, and expand the Runtime Attack Detection section. Under this section you will find the USB Connection Detection control. Click Enable Configuration, choose the response action, and save the configuration for the next build or for it to be applied with a live push (if enabled).

API Configuration Example

{
  "UsbConnectionDetectionResponse": {
    "detection": true,
    "action": "alert",
    "title": "USB Connection Detection",
    "message": "A USB data connection was detected. Please disconnect USB data access before continuing.",
    "buttons": ["OK"],
    "actions": ["close"],
    "redirects": [""]
  }
}

Configuration

Enable the control in your MobileDefender configuration:

{
  "UsbConnectionDetectionResponse": {
    "detection": true,
    "action": "alert",
    "title": "USB Data Connection Detected",
    "message": "Your device is connected to a computer with file access enabled. Disconnect immediately if this was not intentional.",
    "buttons": ["Disconnect", "I Understand"],
    "actions": ["close", "continue"]
  }
}

Parameters

• detection (boolean): Enable/disable the USB monitoring receiver
• protection (boolean): No-op for response controls (included for consistency)
• action, title, message, buttons, actions, redirects: Standard response control configuration for the alert modal

Caveats

Charge-Only Connections

The control does not fire for pure charge-only USB connections. If the device is connected to a power source (wall adapter, battery pack) or a "charging only" mode is active, no alert will trigger. This is intentional to avoid alert fatigue.

System Permission

android.hardware.usb.action.USB_STATE is a system-protected broadcast that cannot be spoofed by third-party apps. The control registers with RECEIVER_NOT_EXPORTED flag, ensuring only the Android system can deliver the broadcast.

Initial State

The control processes the sticky broadcast immediately on registration, so if the app is launched while a USB data connection is already active, the alert will fire within seconds of startup.

No Prevention Capability

This control is detection-only. It cannot prevent, block, or disable USB connections at the OS level. To block USB data access, organizations must use MDM policies or hardware-based security solutions.

Performance

The broadcast receiver is lightweight and does not poll or perform continuous checks. The control only executes when the Android system delivers a USB state change broadcast, resulting in zero battery or CPU impact during normal operation.