Every threat Burein names — across eight families. Each carries an ID, a severity, a confidence, and an evidence list.
| ID | Description | Sev |
|---|---|---|
FRIDA_HOOK_DETECTED | Frida runtime instrumentation present. | Critical |
XPOSED_DETECTED | Xposed / LSPosed / EdXposed framework. | Critical |
CODE_INJECTION | LD_PRELOAD / DYLD_INSERT_LIBRARIES injected library. | Critical |
DEBUGGER_ATTACHED | ptrace or native debugger attached. | Critical |
NATIVE_LIB_TAMPER | Text segment or GOT/PLT integrity violation. | Critical |
| ID | Description | Sev |
|---|---|---|
MAGISK_ROOT | Magisk-rooted Android device. | High |
BOOTLOADER_UNLOCKED | Unlocked bootloader. | High |
EMULATOR_QEMU | Running on a QEMU-class emulator. | High |
VIRTUAL_APP_HOSTED | Running inside VirtualXposed / Parallel Space. | High |
JAILBROKEN_IOS | iOS jailbreak detected. | High |
ROOTLESS_JB_IOS | Dopamine / palera1n / RootHide class. | High |
TROLLSTORE_INSTALL | TrollStore-sideloaded. | Medium |
| ID | Description | Sev |
|---|---|---|
APP_REPACKAGED | Signing certificate mismatch. | Critical |
PLAY_INTEGRITY_FAIL | Play Integrity verdict failed. | High |
APP_ATTEST_FAIL | App Attest verdict failed. | High |
INSTALL_SOURCE_SIDELOAD | Installed from a non-store source. | Medium |
| ID | Description | Sev |
|---|---|---|
TLS_MITM | Custom root CA in the chain or cert pinning bypass. | High |
VPN_ACTIVE | VPN tunnel interface present. | Medium |
RESIDENTIAL_PROXY_HINT | ASN + latency tells consistent with residential proxy (local inference). | Medium |
ARP_ANOMALY | Rogue gateway / ARP table mismatch. | Medium |
| ID | Description | Sev |
|---|---|---|
HEADLESS_CHROME | Headless Chrome inconsistency triad. | High |
WEBDRIVER_PRESENT | navigator.webdriver or hidden variant. | High |
PLAYWRIGHT_DETECTED | Playwright hooks or environment. | High |
PUPPETEER_DETECTED | Puppeteer / puppeteer-extra-stealth bypass detection. | High |
ANTI_DETECT_BROWSER | Multilogin / Kameleo / AdsPower / Dolphin / GoLogin. | High |
FARM_BROWSER_PROFILE | Cookie-jar / storage rotation pattern. | High |
| ID | Description | Sev |
|---|---|---|
AGENTIC_COMPUTER_USE | Anthropic Computer Use cadence pattern. | Critical |
AGENTIC_OPERATOR | OpenAI Operator pattern. | Critical |
AGENTIC_BROWSER_USE | browser-use library signatures. | Critical |
AGENTIC_SKYVERN | Skyvern automation harness. | High |
AGENTIC_BROWSERBASE | BrowserBase remote browser session. | High |
AI_SYNTHETIC_TYPING | Token-boundary cadence, no error-correction. | High |
AI_SYNTHETIC_MOUSE | Kinematically implausible trajectories. | High |
| ID | Description | Sev |
|---|---|---|
SCREEN_SHARE_ACTIVE | Remote-access app active + screen capture. | Critical |
ACCESSIBILITY_ABUSE | Known-malicious accessibility service active. | Critical |
OVERLAY_ATTACK_RISK | SYSTEM_ALERT_WINDOW overlay during sensitive flow. | High |
BANKING_TROJAN_IOC | Known banking-trojan package fingerprint present. | Critical |
| ID | Description | Sev |
|---|---|---|
UA_SPOOF_INCONSISTENT | UA disagrees with platform tells. | Medium |
TZ_GEO_MISMATCH | Timezone disagrees with IP geo. | Medium |
SENSOR_TAMPERING | Sensor values implausible or replayed. | High |
MOCK_LOCATION | Mock location provider. | Medium |
Talk to us about your fraud and integrity goals — we'll show you the signals that matter for your stack.