{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,16]],"date-time":"2026-04-16T21:16:19Z","timestamp":1776374179141,"version":"3.51.2"},"reference-count":39,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2023,2,20]],"date-time":"2023-02-20T00:00:00Z","timestamp":1676851200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,2,20]],"date-time":"2023-02-20T00:00:00Z","timestamp":1676851200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100010752","name":"National Graduate School in Computer Science","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100010752","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Excellence Center at Link\u00f6ping - Lund in Information Technology"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2023,3]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Decompilers are indispensable tools in Android malware analysis and app security auditing. Numerous academic works also employ an Android decompiler as the first step in a program analysis pipeline. In such settings, decompilation is frequently regarded as a \u201csolved\u201d problem, in that it is simply expected that source code can be accurately recovered from an app. On the other hand, it is known that, e.g, obfuscation can negatively impact a decompiler\u2019s effectiveness. Therefore, in order to better understand potential failure modes of, e.g., automated analysis pipelines involving decompilation, it is important to characterize the performance of decompilers on both benign and malicious apps. To this end, we have performed what is, to the best of our knowledge, the first large-scale study of Android decompilation failure rates, using three sets of apps; namely, 3,018 open-source apps, 13,601 apps crawled from Google Play, and an existing collection of 24,553 malware samples. In addition to the state-of-the-art Dalvik bytecode decompiler Jadx, we also studied the performance of three popular Java decompilers. Furthermore, this paper also presents the findings from a follow-up study on 54,945 malware apps, where we additionally performed an analysis of the reasons for decompilation failures. Our study revealed that decompilers generally have very low failure rates, and that few failures on benign apps appear to be related to obfuscation. On malware, however, obfuscation appears to be a more prominent cause of failures, although the vast majority of malicious apps could still be fully decompiled by an ensemble of decompilers.<\/jats:p>","DOI":"10.1007\/s10664-022-10281-9","type":"journal-article","created":{"date-parts":[[2023,2,23]],"date-time":"2023-02-23T16:32:43Z","timestamp":1677169963000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Android decompiler performance on benign and malicious apps: an empirical study"],"prefix":"10.1007","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3009-4314","authenticated-orcid":false,"given":"Ulf","family":"Karg\u00e9n","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Noah","family":"Mauthe","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nahid","family":"Shahmehri","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,2,20]]},"reference":[{"key":"10281_CR1","doi-asserted-by":"crossref","unstructured":"Allix K, Bissyand\u00e9 TF, Klein J, Le Traon Y (2016) Androzoo: collecting millions of android apps for the research community. In: Proceedings of the 13th international conference on mining software repositories, ACM, pp 468\u2013471","DOI":"10.1145\/2901739.2903508"},{"key":"10281_CR2","unstructured":"Andriesse D, Chen X, Van Der Veen V, Slowinska A, Bos H (2016) An in-depth analysis of disassembly on full-scale x86\/x64 binaries. In: 25th USENIX security symposium (USENIX security 16), pp 583-600"},{"key":"10281_CR3","doi-asserted-by":"crossref","unstructured":"Backes M, Bugiel S, Derr E (2016) Reliable third-party library detection in Android and its security applications. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 356\u2013367","DOI":"10.1145\/2976749.2978333"},{"key":"10281_CR4","doi-asserted-by":"publisher","first-page":"72","DOI":"10.1016\/j.cose.2016.05.003","volume":"61","author":"V Balachandran","year":"2016","unstructured":"Balachandran V, Tan D J, Thing VL et al (2016) Control flow obfuscation for android applications. Comput Security 61:72\u201393","journal-title":"Comput Security"},{"issue":"4","key":"10281_CR5","doi-asserted-by":"publisher","first-page":"400","DOI":"10.1109\/TDSC.2014.2355839","volume":"12","author":"L Cen","year":"2015","unstructured":"Cen L, Gates CS, Si L, Li N (2015) A probabilistic discriminative model for android malware detection with decompiled source code. IEEE Trans Dependable Secure Comput 12(4):400\u2013412","journal-title":"IEEE Trans Dependable Secure Comput"},{"issue":"1-2","key":"10281_CR6","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/S0164-1212(02)00066-3","volume":"71","author":"JT Chan","year":"2004","unstructured":"Chan JT, Yang W (2004) Advanced obfuscation techniques for java bytecode. J Syst Softw 71(1-2):1\u201310","journal-title":"J Syst Softw"},{"key":"10281_CR7","doi-asserted-by":"crossref","unstructured":"Chen S, Fan L, Chen C, Su T, Li W, Liu Y, Xu L (2019) StoryDroid: automated generation of storyboard for android apps. In: 2019 IEEE\/ACM 41st international conference on software engineering (ICSE), pp 596\u2013607","DOI":"10.1109\/ICSE.2019.00070"},{"key":"10281_CR8","volume-title":"A Taxonomy of Obfuscating Transformations. Tech rep Department of Computer Science","author":"C Collberg","year":"1997","unstructured":"Collberg C, Thomborson C, Low D (1997) A Taxonomy of Obfuscating Transformations. Tech rep Department of Computer Science. The University of Auckland, New Zealand"},{"key":"10281_CR9","doi-asserted-by":"crossref","unstructured":"Dong S, Li M, Diao W, Liu X, Liu J, Li Z, Xu F, Chen K, Wang X, Zhang K (2018) Understanding android obfuscation techniques: a large-scale investigation in the wild. In: Security and privacy in communication networks. Springer international publishing, pp 172\u2013192","DOI":"10.1007\/978-3-030-01701-9_10"},{"key":"10281_CR10","doi-asserted-by":"crossref","unstructured":"Duan Y, Zhang M, Bhaskar AV, Yin H, Pan X, Li T, Wang X, Wang X (2018) Things you may not know about android (un) packers: a systematic study based on whole-system emulation. In: Network and distributed system security symposium","DOI":"10.14722\/ndss.2018.23296"},{"key":"10281_CR11","unstructured":"Enck W, Octeau D, McDaniel P, Chaudhuri S (2011) A study of android application security. In: USENIX security symposium"},{"key":"10281_CR12","doi-asserted-by":"crossref","unstructured":"Gamba J, Rashed M, Razaghpanah A, Tapiador J, Vallina-Rodriguez N (2020) An analysis of pre-installed android software. In: 2020 IEEE symposium on security and privacy (SP), pp 1039\u20131055","DOI":"10.1109\/SP40000.2020.00013"},{"key":"10281_CR13","doi-asserted-by":"crossref","unstructured":"Gibler C, Crussell J, Erickson J, Chen H (2012) AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. In: Trust and trustworthy computing, Springer Berlin, Heidelberg, Berlin. pp 291\u2013307","DOI":"10.1007\/978-3-642-30921-2_17"},{"issue":"2","key":"10281_CR14","doi-asserted-by":"publisher","first-page":"109","DOI":"10.2478\/acss-2018-0014","volume":"23","author":"K Gusarovs","year":"2018","unstructured":"Gusarovs K (2018) An analysis on java programming language decompiler capabilities. Appl Comput Syst 23(2):109\u2013117","journal-title":"Appl Comput Syst"},{"key":"10281_CR15","doi-asserted-by":"crossref","unstructured":"Hamilton J, Danicic S (2009) An evaluation of current java bytecode decompilers. In: 2009 Ninth IEEE international working conference on source code analysis and manipulation, pp 129\u2013136","DOI":"10.1109\/SCAM.2009.24"},{"key":"10281_CR16","doi-asserted-by":"crossref","unstructured":"Hammad M, Garcia J, Malek S (2018) A large-scale empirical study on the effects of code obfuscations on android apps and anti-malware products. In: Proceedings of the 40th international conference on software engineering, pp 421\u2013431","DOI":"10.1145\/3180155.3180228"},{"key":"10281_CR17","doi-asserted-by":"crossref","unstructured":"Harrand N, Soto-Valero C, Monperrus M, Baudry B (2019) The strengths and behavioral quirks of Java bytecode decompilers. In: 2019 19th International working conference on source code analysis and manipulation (SCAM), pp 92\u2013102","DOI":"10.1109\/SCAM.2019.00019"},{"key":"10281_CR18","doi-asserted-by":"publisher","first-page":"110645","DOI":"10.1016\/j.jss.2020.110645","volume":"168","author":"N Harrand","year":"2020","unstructured":"Harrand N, Soto-Valero C, Monperrus M, Baudry B (2020) Java decompiler diversity and its application to meta-decompilation. J Syst Softw 168:110645","journal-title":"J Syst Softw"},{"issue":"2","key":"10281_CR19","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1049\/ip-sen:20050010","volume":"153","author":"TW Hou","year":"2006","unstructured":"Hou TW, Chen HY, Tsai MH (2006) Three control flow obfuscation methods for java software. IEE Proc-Softw 153(2):80\u201386","journal-title":"IEE Proc-Softw"},{"key":"10281_CR20","doi-asserted-by":"crossref","unstructured":"Jang H, Jin B, Hyun S, Kim H (2019) Kerberoid: a practical android app decompilation system with multiple decompilers. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp 2557\u20132559","DOI":"10.1145\/3319535.3363255"},{"key":"10281_CR21","doi-asserted-by":"crossref","unstructured":"Jiang M, Zhou Y, Luo X, Wang R, Liu Y, Ren K (2020) An empirical study on arm disassembly tools. In: Proceedings of the 29th ACM SIGSOFT international symposium on software testing and analysis, pp 401\u2013414","DOI":"10.1145\/3395363.3397377"},{"key":"10281_CR22","doi-asserted-by":"crossref","unstructured":"Junod P, Rinaldini J, Wehrli J, Michielin J (2015) Obfuscator-LLVM\u2013software protection for the masses. In: 2015 IEEE\/ACM 1st international workshop on software protection, IEEE, pp 3\u20139","DOI":"10.1109\/SPRO.2015.10"},{"key":"10281_CR23","doi-asserted-by":"crossref","unstructured":"Kostelansk\u00fd J, Dedera \u0139 (2017) An evaluation of output from current java bytecode decompilers: is it android which is responsible for such quality boost?. In: 2017 Communication and information technologies (KIT), pp 1\u20136","DOI":"10.23919\/KIT.2017.8109451"},{"key":"10281_CR24","doi-asserted-by":"crossref","unstructured":"Li M, Wang W, Wang P, Wang S, Wu D, Liu J, Xue R, Huo W (2017) LibD: scalable and precise third-party library detection in android markets. In: 2017 IEEE\/ACM 39th international conference on software engineering (ICSE), pp 335\u2013346","DOI":"10.1109\/ICSE.2017.38"},{"key":"10281_CR25","doi-asserted-by":"crossref","unstructured":"Linn C, Debray S (2003) Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM conference on computer and communications security, pp 290\u2013299","DOI":"10.1145\/948109.948149"},{"issue":"24","key":"10281_CR26","doi-asserted-by":"publisher","first-page":"7405","DOI":"10.1007\/s00500-016-2283-y","volume":"21","author":"A Mart\u00edn","year":"2017","unstructured":"Mart\u00edn A, Men\u00e9ndez HD, Camacho D (2017) MOCDRoid: multi-objective evolutionary classifier for android malware detection. Soft Comput 21 (24):7405\u20137415","journal-title":"Soft Comput"},{"key":"10281_CR27","doi-asserted-by":"crossref","unstructured":"Mauthe N, Karg\u00e9n U, Shahmehri N (2021) A large-scale empirical study of android app decompilation. In: 2021 IEEE international conference on software analysis, evolution and reengineering (SANER), pp 400\u2013410","DOI":"10.1109\/SANER50967.2021.00044"},{"key":"10281_CR28","doi-asserted-by":"crossref","unstructured":"Ming J, Xu D, Wang L, Wu D (2015) Loop: logic-oriented opaque predicate detection in obfuscated binary code. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp 757\u2013768","DOI":"10.1145\/2810103.2813617"},{"key":"10281_CR29","doi-asserted-by":"crossref","unstructured":"Naeem NA, Batchelder M, Hendren L (2007) Metrics for measuring the effectiveness of decompilers and obfuscators. In: 15th IEEE international conference on program comprehension (ICPC \u201907), pp 253\u2013258","DOI":"10.1109\/ICPC.2007.27"},{"key":"10281_CR30","doi-asserted-by":"crossref","unstructured":"Pang C, Yu R, Chen Y, Koskinen E, Portokalidis G, Mao B, Xu J (2021) SoK: all you ever wanted to know about x86\/x64 binary disassembly but were afraid to ask. In: 2021 IEEE symposium on security and privacy (SP), pp 833\u2013851","DOI":"10.1109\/SP40001.2021.00012"},{"key":"10281_CR31","doi-asserted-by":"crossref","unstructured":"Pauck F, Bodden E, Wehrheim H (2018) Do android taint analysis tools keep their promises?. In: Proceedings of the 2018 26th ACM joint meeting on european software engineering conference and symposium on the foundations of software engineering, pp 331\u2013341","DOI":"10.1145\/3236024.3236029"},{"issue":"1","key":"10281_CR32","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2522968.2522972","volume":"46","author":"KA Roundy","year":"2013","unstructured":"Roundy KA, Miller BP (2013) Binary-code obfuscations in prevalent packer tools. ACM Comput Surveys (CSUR) 46(1):1\u201332","journal-title":"ACM Comput Surveys (CSUR)"},{"key":"10281_CR33","doi-asserted-by":"crossref","unstructured":"Shan Z, Neamtiu I, Samuel R (2018) Self-hiding behavior in android apps: detection and characterization. In: Proceedings of the 40th international conference on software engineering, pp 728\u2013739","DOI":"10.1145\/3180155.3180214"},{"key":"10281_CR34","unstructured":"Tian DJ, Hernandez G, Choi JI, Frost V, Raules C, Traynor P, Vijayakumar H, Harrison L, Rahmati A, Grace M et al (2018) ATTention spanned: comprehensive vulnerability analysis of AT commands within the android ecosystem. In: 27th USENIX security symposium (USENIX security 18), pp 273\u2013290"},{"key":"10281_CR35","doi-asserted-by":"crossref","unstructured":"Wang H, Guo Y, Ma Z, Chen X (2015) WuKong: a scalable and accurate two-phase approach to android app clone detection. In: Proceedings of the 2015 international symposium on software testing and analysis, association for computing machinery, ISSTA 2015, pp 71\u201382","DOI":"10.1145\/2771783.2771795"},{"key":"10281_CR36","doi-asserted-by":"crossref","unstructured":"Wei F, Li Y, Roy S, Ou X, Zhou W (2017) Deep ground truth analysis of current Android malware. In: Detection of intrusions and malware, and vulnerability assessment, Springer international publishing, pp 252\u2013276","DOI":"10.1007\/978-3-319-60876-1_12"},{"key":"10281_CR37","doi-asserted-by":"crossref","unstructured":"Xue L, Luo X, Yu L, Wang S, Wu D (2017) Adaptive unpacking of android apps. In: 2017 IEEE\/ACM 39th international conference on software engineering (ICSE), pp 358\u2013369","DOI":"10.1109\/ICSE.2017.40"},{"key":"10281_CR38","doi-asserted-by":"crossref","unstructured":"Yang W, Zhang Y, Li J, Shu J, Li B, Hu W, Gu D (2015) Appspear: bytecode decrypting and dex reassembling for packed android malware. In: Research in attacks, Intrusions, and Defenses, Springer international publishing, p 359\u2013381","DOI":"10.1007\/978-3-319-26362-5_17"},{"key":"10281_CR39","doi-asserted-by":"crossref","unstructured":"Zhang Y, Luo X, Yin H (2015) Dexhunter: toward extracting hidden code from packed android applications. In: Computer security \u2013 ESORICS 2015, Springer international publishing, pp 293\u2013311","DOI":"10.1007\/978-3-319-24177-7_15"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-022-10281-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-022-10281-9\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-022-10281-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,4,3]],"date-time":"2023-04-03T07:08:29Z","timestamp":1680505709000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-022-10281-9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,2,20]]},"references-count":39,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2023,3]]}},"alternative-id":["10281"],"URL":"https:\/\/doi.org\/10.1007\/s10664-022-10281-9","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,2,20]]},"assertion":[{"value":"19 December 2022","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"20 February 2023","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"<!--Emphasis Type='Bold' removed-->Conflict of Interests"}}],"article-number":"48"}}