{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,7]],"date-time":"2026-04-07T16:26:14Z","timestamp":1775579174314,"version":"3.50.1"},"reference-count":65,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2025,2,22]],"date-time":"2025-02-22T00:00:00Z","timestamp":1740182400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/"}],"funder":[{"name":"French National Research Agency with references","award":["ANR-22-PECY-0007, ANR-23-IAS4-0001"],"award-info":[{"award-number":["ANR-22-PECY-0007, ANR-23-IAS4-0001"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2025,5,31]]},"abstract":"<jats:p>From a little research experiment to an essential component of military arsenals, malicious software has constantly been growing and evolving for more than three decades. On the other hand, from a negligible market share, the Android operating system is nowadays the most widely used mobile operating system, becoming a desirable target for large-scale malware distribution. While scientific literature has followed this trend, one aspect has been understudied: the role of native code in malicious Android apps. Android apps are written in high-level languages, but thanks to the Java Native Interface (JNI), Android also supports calling native (C\/C++) library functions. While allowing native code in Android apps has a strong positive impact from a performance perspective, it dramatically complicates its analysis because bytecode and native code need different abstractions and analysis algorithms, and they thus pose different challenges and limitations. Consequently, these difficulties are often (ab)used to hide malicious payloads.<\/jats:p>\n          <jats:p>\n            In this work, we propose a novel methodology to reverse engineering Android apps focusing on\n            <jats:italic>suspicious<\/jats:italic>\n            patterns related to native components, i.e., surreptitious code that requires further inspection. We implemented a static analysis tool based on such methodology, which can bridge the \u201cJava\u201d and the native worlds and perform an in-depth analysis of\n            <jats:italic>tag<\/jats:italic>\n            code blocks responsible for suspicious behavior. These tags benefit the human facing the reverse engineering task: they clearly indicate which part of the code to focus on to find malicious code.\n          <\/jats:p>\n          <jats:p>Then, we performed a longitudinal analysis of Android malware over the past 10 years and compared the recent malicious samples with actual top apps on the Google Play Store. Our work depicts typical behaviors of modern malware, its evolution, and how it abuses the native layer to complicate the analysis, especially with dynamic code loading and novel anti-analysis techniques. Finally, we show a use case for our suspicious tags: we trained and tested a machine learning algorithm for a binary classification task. Even if suspicious does not imply malicious, our classifier obtained a remarkable F1-score of 0.97, showing that our methodology can be helpful to both humans and machines.<\/jats:p>","DOI":"10.1145\/3712308","type":"journal-article","created":{"date-parts":[[2025,1,17]],"date-time":"2025-01-17T10:18:15Z","timestamp":1737109095000},"page":"1-33","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["The Dark Side of Native Code on Android"],"prefix":"10.1145","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2435-9993","authenticated-orcid":false,"given":"Antonio","family":"Ruggia","sequence":"first","affiliation":[{"name":"EURECOM - Campus SophiaTech, Sophia Antipolis, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1223-0658","authenticated-orcid":false,"given":"Andrea","family":"Possemato","sequence":"additional","affiliation":[{"name":"EURECOM, Sophia Antipolis, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0988-9366","authenticated-orcid":false,"given":"Savino","family":"Dambra","sequence":"additional","affiliation":[{"name":"GenDigital, Sophia Antipolis, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2272-2376","authenticated-orcid":false,"given":"Alessio","family":"Merlo","sequence":"additional","affiliation":[{"name":"CASD - School of Advanced Defense Studies, Rome, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9547-3502","authenticated-orcid":false,"given":"Simone","family":"Aonzo","sequence":"additional","affiliation":[{"name":"EURECOM, Sophia Antipolis, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5957-6213","authenticated-orcid":false,"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[{"name":"EURECOM, Sophia Antipolis, France"}]}],"member":"320","published-online":{"date-parts":[[2025,2,22]]},"reference":[{"key":"e_1_3_3_2_2","unstructured":"2022. Jiagu. Retrieved January 29 2025 from http:\/\/jiagu.360.cn\/"},{"key":"e_1_3_3_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243842"},{"key":"e_1_3_3_4_2","first-page":"1","volume-title":"Proceedings of the Network and Distributed System Security Symposium","author":"Afonso Vitor","year":"2016","unstructured":"Vitor Afonso, Antonio Bianchi, Yanick Fratantonio, Adam Doup\u00e9, Mario Polino, Paulo de Geus, Christopher Kruegel, and Giovanni Vigna. 2016. Going native: Using a large-scale analysis of android apps to create a practical native-code sandboxing policy. In Proceedings of the Network and Distributed System Security Symposium. 1\u201315."},{"key":"e_1_3_3_5_2","article-title":"Ghidra: A Software Reverse Engineering (SRE)","author":"Agency NSA National Security","year":"2022","unstructured":"NSA National Security Agency. 2022. Ghidra: A Software Reverse Engineering (SRE). Retrieved January 29, 2025 from https:\/\/ghidra-sre.org\/","journal-title":"https:\/\/ghidra-sre.org\/"},{"key":"e_1_3_3_6_2","unstructured":"Alfred V. Aho Ravi Sethi and Jeffrey D. Ullman. 1986. Compilers: Principles Techniques and Tools. Addison-Wesley Longman Publishing Co. Inc. USA."},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.11.011"},{"key":"e_1_3_3_8_2","first-page":"468","volume-title":"Proceedings of the 2016 IEEE\/ACM 13th Working Conference on Mining Software Repositories (MSR\u201916)","author":"Allix Kevin","year":"2016","unstructured":"Kevin Allix, Tegawend\u00e9 F. Bissyand\u00e9, Jacques Klein, and Yves Le Traon. 2016. Androzoo: Collecting millions of android apps for the research community. In Proceedings of the 2016 IEEE\/ACM 13th Working Conference on Mining Software Repositories (MSR\u201916). IEEE, 468\u2013471."},{"key":"e_1_3_3_9_2","doi-asserted-by":"crossref","first-page":"567","DOI":"10.1109\/ICCKE50421.2020.9303643","volume-title":"Proceedings of the 2020 10th International Conference on Computer and Knowledge Engineering (ICCKE\u201920)","author":"Andarzian Seyed Behnam","year":"2020","unstructured":"Seyed Behnam Andarzian and Behrouz Tork Ladani. 2020. Compositional taint analysis of native codes for security vetting of android applications. In Proceedings of the 2020 10th International Conference on Computer and Knowledge Engineering (ICCKE\u201920). IEEE, 567\u2013572."},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/2666356.2594299"},{"key":"e_1_3_3_11_2","article-title":"Android Anti-Hooking Techniques in Java","author":"Bergman Neil","year":"2015","unstructured":"Neil Bergman. 2015. Android Anti-Hooking Techniques in Java. Retrieved January 29, 2025 from https:\/\/d3adend.org\/blog\/posts\/android-anti-hooking-techniques-in-java\/","journal-title":"https:\/\/d3adend.org\/blog\/posts\/android-anti-hooking-techniques-in-java\/"},{"key":"e_1_3_3_12_2","article-title":"CVE-2011-1823","author":"Corporation The MITRE","year":"2011","unstructured":"The MITRE Corporation. 2011. CVE-2011-1823. Retrieved January 29, 2025 from https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2011-1823","journal-title":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2011-1823"},{"key":"e_1_3_3_13_2","article-title":"CVE-2014-3153","author":"Corporation The MITRE","year":"2014","unstructured":"The MITRE Corporation. 2014. CVE-2014-3153. Retrieved January 29, 2025 from https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-3153","journal-title":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-3153"},{"key":"e_1_3_3_14_2","article-title":"CVE-2016-5195","author":"Corporation The MITRE","year":"2016","unstructured":"The MITRE Corporation. 2016. CVE-2016-5195. Retrieved January 29, 2025 from https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=cve-2016-5195","journal-title":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=cve-2016-5195"},{"key":"e_1_3_3_15_2","article-title":"CVE-2019-2215","author":"Corporation The MITRE","year":"2019","unstructured":"The MITRE Corporation. 2019. CVE-2019-2215. Retrieved January 29, 2025 from https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-2215","journal-title":"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-2215"},{"key":"e_1_3_3_16_2","article-title":"Google Play Scraper","year":"2022","unstructured":"Facundoolano. 2022. Google Play Scraper. Retrieved January 29, 2025 from https:\/\/github.com\/facundoolano\/google-play-scraper","journal-title":"https:\/\/github.com\/facundoolano\/google-play-scraper"},{"key":"e_1_3_3_17_2","article-title":"Flutter","year":"2022","unstructured":"Flutter. 2022. Flutter. Retrieved January 29, 2025 from https:\/\/flutter.dev\/","journal-title":"https:\/\/flutter.dev\/"},{"key":"e_1_3_3_18_2","article-title":"Apache Cordova Framework","author":"Foundation The Apache Software","year":"2022","unstructured":"The Apache Software Foundation. 2022. Apache Cordova Framework. Retrieved January 17, 2025 from https:\/\/cordova.apache.org\/","journal-title":"https:\/\/cordova.apache.org\/"},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397368"},{"key":"e_1_3_3_20_2","article-title":"Playstore Dowloader","author":"Georgiu Gabriel Claudiu","year":"2022","unstructured":"Gabriel Claudiu Georgiu. 2022. Playstore Dowloader. Retrieved January 29, 2025 from https:\/\/github.com\/ClaudiuGeorgiu\/PlaystoreDownloader","journal-title":"https:\/\/github.com\/ClaudiuGeorgiu\/PlaystoreDownloader"},{"key":"e_1_3_3_21_2","article-title":"BitUnmap: Attacking Android Ashmem","year":"2017","unstructured":"Google. 2017. BitUnmap: Attacking Android Ashmem. Retrieved January 29, 2025 from https:\/\/googleprojectzero.blogspot.com\/2016\/12\/bitunmap-attacking-android-ashmem.html","journal-title":"https:\/\/googleprojectzero.blogspot.com\/2016\/12\/bitunmap-attacking-android-ashmem.html"},{"key":"e_1_3_3_22_2","article-title":"Android Use-After-Free in Binder","year":"2020","unstructured":"Google. 2020. Android Use-After-Free in Binder. Retrieved January 29, 2025 from https:\/\/googleprojectzero.github.io\/0days-in-the-wild\/0day-RCAs\/2019\/CVE-2019-2215.html","journal-title":"https:\/\/googleprojectzero.github.io\/0days-in-the-wild\/0day-RCAs\/2019\/CVE-2019-2215.html"},{"key":"e_1_3_3_23_2","article-title":"The Activity Lifecycle","year":"2022","unstructured":"Google. 2022. The Activity Lifecycle. Retrieved January 29, 2025 from https:\/\/developer.android.com\/guide\/components\/activities\/activity-lifecycle","journal-title":"https:\/\/developer.android.com\/guide\/components\/activities\/activity-lifecycle"},{"key":"e_1_3_3_24_2","article-title":"Android ABIs","year":"2022","unstructured":"Google. 2022. Android ABIs. Retrieved January 29, 2025 from https:\/\/developer.android.com\/ndk\/guides\/abis","journal-title":"https:\/\/developer.android.com\/ndk\/guides\/abis"},{"key":"e_1_3_3_25_2","article-title":"Android App Bundle","year":"2022","unstructured":"Google. 2022. Android App Bundle. Retrieved January 29, 2025 from https:\/\/developer.android.com\/guide\/app-bundle","journal-title":"https:\/\/developer.android.com\/guide\/app-bundle"},{"key":"e_1_3_3_26_2","article-title":"Android App Categories","year":"2022","unstructured":"Google. 2022. Android App Categories. Retrieved January 29, 2025 from https:\/\/support.google.com\/googleplay\/android-developer\/answer\/9859673","journal-title":"https:\/\/support.google.com\/googleplay\/android-developer\/answer\/9859673"},{"key":"e_1_3_3_27_2","article-title":"Android Linker Source Code, Call_constructors Method","year":"2022","unstructured":"Google. 2022. Android Linker Source Code, Call_constructors Method. Retrieved January 29, 2025 from https:\/\/android.googlesource.com\/platform\/bionic\/+\/master\/linker\/linker_soinfo.cpp#516","journal-title":"https:\/\/android.googlesource.com\/platform\/bionic\/+\/master\/linker\/linker_soinfo.cpp#516"},{"key":"e_1_3_3_28_2","article-title":"Neural Networks API","year":"2023","unstructured":"Google. 2023. Neural Networks API. Retrieved January 29, 2025 from https:\/\/developer.android.com\/ndk\/guides\/neuralnetworks","journal-title":"https:\/\/developer.android.com\/ndk\/guides\/neuralnetworks"},{"key":"e_1_3_3_29_2","article-title":"Permissions on Android","year":"2023","unstructured":"Google. 2023. Permissions on Android. Retrieved January 29, 2025 from https:\/\/developer.android.com\/guide\/topics\/permissions\/overview","journal-title":"https:\/\/developer.android.com\/guide\/topics\/permissions\/overview"},{"key":"e_1_3_3_30_2","article-title":"Android Rust Introduction","year":"2024","unstructured":"Google. 2024. Android Rust Introduction. Retrieved January 29, 2025 from https:\/\/source.android.com\/docs\/setup\/build\/rust\/building-rust-modules\/overview?hl=en","journal-title":"https:\/\/source.android.com\/docs\/setup\/build\/rust\/building-rust-modules\/overview?hl=en"},{"key":"e_1_3_3_31_2","first-page":"110","volume-title":"Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS)","volume":"15","author":"Gordon Michael I.","year":"2015","unstructured":"Michael I. Gordon, Deokhwan Kim, Jeff H. Perkins, Limei Gilham, Nguyen Nguyen, and Martin C. Rinard. 2015. Information flow analysis of android applications in DroidSafe. In Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS). Vol. 15, 110."},{"key":"e_1_3_3_32_2","article-title":"Soot - A Java Optimization Framework","author":"Group Sable Research","year":"2022","unstructured":"Sable Research Group. 2022. Soot - A Java Optimization Framework. Retrieved January 29, 2025 from https:\/\/github.com\/soot-oss\/soot","journal-title":"https:\/\/github.com\/soot-oss\/soot"},{"key":"e_1_3_3_33_2","article-title":"Android DirtyCow","year":"2019","unstructured":"j0nk0. 2019. Android DirtyCow. Retrieved January 29, 2025 from https:\/\/github.com\/j0nk0\/GetRoot-Android-DirtyCow","journal-title":"https:\/\/github.com\/j0nk0\/GetRoot-Android-DirtyCow"},{"key":"e_1_3_3_34_2","article-title":"CVE-2019-2215 Exploit","year":"2019","unstructured":"kangtastic. 2019. CVE-2019-2215 Exploit. Retrieved January 29, 2025 from https:\/\/github.com\/kangtastic\/cve-2019-2215","journal-title":"https:\/\/github.com\/kangtastic\/cve-2019-2215"},{"key":"e_1_3_3_35_2","article-title":"proc.5","author":"Kerrisk Michael","year":"2021","unstructured":"Michael Kerrisk. 2021. proc.5. Retrieved January 29, 2025 from https:\/\/man7.org\/linux\/man-pages\/man5\/proc.5.html","journal-title":"https:\/\/man7.org\/linux\/man-pages\/man5\/proc.5.html"},{"key":"e_1_3_3_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3293882.3338990"},{"key":"e_1_3_3_37_2","doi-asserted-by":"crossref","first-page":"280","DOI":"10.1109\/ICSE.2015.48","volume-title":"Proceedings of the 2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering","volume":"1","author":"Li Li","year":"2015","unstructured":"Li Li, Alexandre Bartel, Tegawend\u00e9 F Bissyand\u00e9, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. IccTA: Detecting inter-component privacy leaks in android apps. In Proceedings of the 2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering. Vol. 1, IEEE, 280\u2013291."},{"key":"e_1_3_3_38_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2017.04.001"},{"key":"e_1_3_3_39_2","article-title":"Xamarin","year":"2022","unstructured":"Microsoft. 2022. Xamarin. Retrieved January 29, 2025 from https:\/\/dotnet.microsoft.com\/apps\/xamarin","journal-title":"https:\/\/dotnet.microsoft.com\/apps\/xamarin"},{"key":"e_1_3_3_40_2","volume-title":"Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection","author":"Nagra Jasvir","year":"2009","unstructured":"Jasvir Nagra and Christian Collberg. 2009. Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Pearson Education."},{"key":"e_1_3_3_41_2","first-page":"543","volume-title":"Proceedings of the 22nd  \\(\\lbrace\\) USENIX \\(\\rbrace\\)  Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\)  Security 13)","author":"Octeau Damien","year":"2013","unstructured":"Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective inter-component communication mapping in android: An essential step towards holistic security analysis. In Proceedings of the 22nd \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 13). 543\u2013558."},{"key":"e_1_3_3_42_2","article-title":"The Exploit Database","year":"2009","unstructured":"OffSec. 2009. The Exploit Database. Retrieved January 29, 2025 from https:\/\/www.exploit-db.com\/","journal-title":"https:\/\/www.exploit-db.com\/"},{"key":"e_1_3_3_43_2","article-title":"JNI Functions","year":"2022","unstructured":"Oracle. 2022. JNI Functions. Retrieved January 29, 2025 from https:\/\/docs.oracle.com\/javase\/7\/docs\/technotes\/guides\/jni\/spec\/functions.html","journal-title":"https:\/\/docs.oracle.com\/javase\/7\/docs\/technotes\/guides\/jni\/spec\/functions.html"},{"key":"e_1_3_3_44_2","article-title":"JNI Types and Data Structures","year":"2022","unstructured":"Oracle. 2022. JNI Types and Data Structures. Retrieved January 29, 2025 from https:\/\/docs.oracle.com\/javase\/7\/docs\/technotes\/guides\/jni\/spec\/types.html","journal-title":"https:\/\/docs.oracle.com\/javase\/7\/docs\/technotes\/guides\/jni\/spec\/types.html"},{"key":"e_1_3_3_45_2","article-title":"Oracle JNI","year":"2022","unstructured":"Oracle. 2022. Oracle JNI. Retrieved January 17, 2025 from https:\/\/docs.oracle.com\/javase\/7\/docs\/technotes\/guides\/jni\/spec\/jniTOC.html","journal-title":"https:\/\/docs.oracle.com\/javase\/7\/docs\/technotes\/guides\/jni\/spec\/jniTOC.html"},{"key":"e_1_3_3_46_2","article-title":"Mono Project","author":"Project Mono","year":"2022","unstructured":"Mono Project. 2022. Mono Project. Retrieved January 29, 2025 from https:\/\/www.mono-project.com\/","journal-title":"https:\/\/www.mono-project.com\/"},{"key":"e_1_3_3_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2014.30"},{"key":"e_1_3_3_48_2","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS)","author":"Rasthofer Siegfried","year":"2016","unstructured":"Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting runtime values in android applications that feature anti-analysis techniques.. In Proceedings of the Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_3_49_2","volume-title":"EUROS&P 2023, Proceedings of the 8th IEEE European Symposium on Security and Privacy","author":"Ruggia Antonio","year":"2023","unstructured":"Antonio Ruggia, Andrea Possemato, Alessio Merlo, Dario Nisi, and Simone Aonzo. 2023. Android, notify me when it is time to go phishing. In EUROS&P 2023, Proceedings of the 8th IEEE European Symposium on Security and Privacy."},{"key":"e_1_3_3_50_2","first-page":"1232","volume-title":"Proceedings of the 2022 IEEE\/ACM 44th International Conference on Software Engineering (ICSE\u201922)","author":"Samhi Jordan","year":"2022","unstructured":"Jordan Samhi, Jun Gao, Nadia Daoudi, Pierre Graux, Henri Hoyez, Xiaoyu Sun, Kevin Allix, Tegawend\u00e9 F. Bissyand\u00e9, and Jacques Klein. 2022. JuCify: A step towards android code unification for enhanced static analysis. In Proceedings of the 2022 IEEE\/ACM 44th International Conference on Software Engineering (ICSE\u201922). IEEE, 1232\u20131244."},{"key":"e_1_3_3_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427261"},{"key":"e_1_3_3_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978343"},{"key":"e_1_3_3_53_2","article-title":"HackingTeam Exploits","author":"Team Hacking","year":"2015","unstructured":"Hacking Team. 2015. HackingTeam Exploits. Retrieved January 29, 2025 from https:\/\/github.com\/f47h3r\/hackingteam_exploits\/tree\/master\/android","journal-title":"https:\/\/github.com\/f47h3r\/hackingteam_exploits\/tree\/master\/android"},{"key":"e_1_3_3_54_2","article-title":"Unity","author":"Technologies Unity","year":"2022","unstructured":"Unity Technologies. 2022. Unity. Retrieved January 29, 2025 from https:\/\/unity.com\/solutions\/mobile\/android-game-development","journal-title":"https:\/\/unity.com\/solutions\/mobile\/android-game-development"},{"key":"e_1_3_3_55_2","article-title":"Android Runtime Restriction Bypass","author":"Thomas Romain","year":"2019","unstructured":"Romain Thomas. 2019. Android Runtime Restriction Bypass. Retrieved January 29, 2025 from https:\/\/blog.quarkslab.com\/android-runtime-restrictions-bypass.html","journal-title":"https:\/\/blog.quarkslab.com\/android-runtime-restrictions-bypass.html"},{"key":"e_1_3_3_56_2","article-title":"300.000+ Infections via Droppers on Google Play Store","year":"2021","unstructured":"ThreatFabric. 2021. 300.000+ Infections via Droppers on Google Play Store. Retrieved January 29, 2025 from https:\/\/threatfabric.com\/blogs\/deceive-the-heavens-to-cross-the-sea.html","journal-title":"https:\/\/threatfabric.com\/blogs\/deceive-the-heavens-to-cross-the-sea.html"},{"key":"e_1_3_3_57_2","doi-asserted-by":"publisher","DOI":"10.1145\/1925805.1925818"},{"key":"e_1_3_3_58_2","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1109\/SecDev.2017.14","volume-title":"Proceedings of the 2017 IEEE Cybersecurity Development Conference (SecDev\u201917)","author":"Wang Fish","year":"2017","unstructured":"Fish Wang and Yan Shoshitaishvili. 2017. Angr-the next generation of binary analysis. In Proceedings of the 2017 IEEE Cybersecurity Development Conference (SecDev\u201917). IEEE, 8\u20139."},{"key":"e_1_3_3_59_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_12"},{"key":"e_1_3_3_60_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243835"},{"key":"e_1_3_3_61_2","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660357"},{"key":"e_1_3_3_62_2","first-page":"543","volume-title":"Proceedings of the 2021 51st Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN\u201921)","author":"Wu Daoyuan","year":"2021","unstructured":"Daoyuan Wu, Debin Gao, Robert H. Deng, and Chang Rocky KC. 2021. When program analysis meets bytecode search: Targeted and efficient inter-procedural analysis of modern android apps in BackDroid. In Proceedings of the 2021 51st Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN\u201921). IEEE, 543\u2013554."},{"key":"e_1_3_3_63_2","first-page":"289","volume-title":"Proceedings of the 26th  \\(\\lbrace\\) USENIX \\(\\rbrace\\)  Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\)  Security\u201917)","author":"Xue Lei","year":"2017","unstructured":"Lei Xue, Yajin Zhou, Ting Chen, Xiapu Luo, and Guofei Gu. 2017. Malton: Towards on-device non-invasive mobile malware analysis for \\(\\lbrace\\) ART \\(\\rbrace\\) . In Proceedings of the 26th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security\u201917). 289\u2013306."},{"key":"e_1_3_3_64_2","first-page":"569","volume-title":"Proceedings of the 21st  \\(\\lbrace\\) USENIX \\(\\rbrace\\)  Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\)  Security\u201912)","author":"Yan Lok Kwong","year":"2012","unstructured":"Lok Kwong Yan and Heng Yin. 2012. Droidscope: Seamlessly reconstructing the \\(\\lbrace\\) OS \\(\\rbrace\\) and Dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security\u201912). 569\u2013584."},{"key":"e_1_3_3_65_2","doi-asserted-by":"crossref","first-page":"303","DOI":"10.1109\/ICSE.2015.50","volume-title":"Proceedings of the 2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering","volume":"1","author":"Yang Wei","year":"2015","unstructured":"Wei Yang, Xusheng Xiao, Benjamin Andow, Sihan Li, Tao Xie, and William Enck. 2015. Appcontext: Differentiating malicious and benign mobile app behaviors using context. In Proceedings of the 2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering. Vol. 1, IEEE, 303\u2013313."},{"key":"e_1_3_3_66_2","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489345"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3712308","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3712308","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:10:29Z","timestamp":1750295429000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3712308"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,22]]},"references-count":65,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,5,31]]}},"alternative-id":["10.1145\/3712308"],"URL":"https:\/\/doi.org\/10.1145\/3712308","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,22]]},"assertion":[{"value":"2022-10-06","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-01-04","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-02-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}