{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,22]],"date-time":"2026-04-22T19:22:48Z","timestamp":1776885768233,"version":"3.51.2"},"reference-count":64,"publisher":"Association for Computing Machinery (ACM)","issue":"ISSTA","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,22]]},"abstract":"<jats:p>The Notification Listener Service (NLS) in Android allows third-party apps to monitor and process device notifications, enabling powerful features but also introducing security and privacy risks. Despite the special permission required to access NLS, it has been recurrently exploited by malicious actors. However, there is a lack of systematic investigation into NLS usage patterns and their security implications. In this paper, we propose NLRadar, a hybrid approach combining static analysis and LLM to examine NLS usage in Android apps. We apply NLRadar to a large scale of apps, including both malware and regular apps, to demystify NLS usage and to uncover abuses. Our analysis reveals that NLS is heavily abused, with interesting discoveries such as apps insecurely storing social media messages, exploiting NLS for destructive competition or SMS credential stealing, and leveraging NLS to spread promotional messages or even malicious links. We also find undisclosed changes in NLS usage through app updates and inadequate disclosure in privacy policies. Our findings emphasize the need for more rigorous vetting of NLS usage and better developer education on responsible NLS practices.<\/jats:p>","DOI":"10.1145\/3728898","type":"journal-article","created":{"date-parts":[[2025,6,22]],"date-time":"2025-06-22T10:52:56Z","timestamp":1750589576000},"page":"434-456","source":"Crossref","is-referenced-by-count":1,"title":["Walls Have Ears: Demystifying Notification Listener Usage in Android Apps"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-1876-9285","authenticated-orcid":false,"given":"Jiapeng","family":"Deng","sequence":"first","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5216-933X","authenticated-orcid":false,"given":"Tianming","family":"Liu","sequence":"additional","affiliation":[{"name":"Monash University, Melbourne, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8793-5367","authenticated-orcid":false,"given":"Yanjie","family":"Zhao","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-8117-0352","authenticated-orcid":false,"given":"Chao","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-6642-2238","authenticated-orcid":false,"given":"Lin","family":"Zhang","sequence":"additional","affiliation":[{"name":"The National Computer Emergency Response Team\/Coordination Center of China (CNCERT\/CC), Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1100-8633","authenticated-orcid":false,"given":"Haoyu","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]}],"member":"320","published-online":{"date-parts":[[2025,6,22]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Expanding target API level requirements","year":"2019","unstructured":"2019. Expanding target API level requirements in 2019. https:\/\/android-developers.googleblog.com\/2019\/02\/expanding-target-api-level-requirements.html"},{"key":"e_1_2_1_2_1","unstructured":"2019. Malware sidesteps Google policy with new 2FA bypass technique. https:\/\/www.welivesecurity.com\/2019\/06\/17\/malware-google-permissions-2fa-bypass\/"},{"key":"e_1_2_1_3_1","unstructured":"2021. Beware \u2014 A New Wormable Android Malware Spreading Through WhatsApp. https:\/\/thehackernews.com\/2021\/01\/beware-new-wormable-android-malware.html"},{"key":"e_1_2_1_4_1","unstructured":"2022. Android target API level requirements. https:\/\/seller.samsungapps.com\/notice\/getNoticeDetail.as?csNoticeID=0000007234"},{"key":"e_1_2_1_5_1","unstructured":"2023. Alien Android Banking Trojan Sidesteps 2FA | Threatpost. https:\/\/threatpost.com\/alien-android-2fa\/159517\/"},{"key":"e_1_2_1_6_1","unstructured":"2023. Promiscuous Permissions: Catching Your Android Apps in the Act | Keysight Blogs. https:\/\/www.keysight.com\/blogs\/en\/tech\/nwvs\/2023\/03\/24\/promiscuous-permissions-catching-your-android-apps-in-the-act"},{"key":"e_1_2_1_7_1","unstructured":"2023. Scoped Storage. https:\/\/source.android.com\/docs\/core\/storage\/scoped"},{"key":"e_1_2_1_8_1","unstructured":"2023. Sneaky DogeRAT Trojan Poses as Popular Apps Targets Indian Android Users. https:\/\/thehackernews.com\/2023\/05\/sneaky-dogerat-trojan-poses-as-popular.html"},{"key":"e_1_2_1_9_1","unstructured":"2023. Target API level requirements for Google Play apps. https:\/\/support.google.com\/googleplay\/android-developer\/answer\/11926878"},{"key":"e_1_2_1_10_1","unstructured":"2023. Technical analysis of SOVA android malware. https:\/\/muha2xmad.github.io\/malware-analysis\/sova\/"},{"key":"e_1_2_1_11_1","unstructured":"2024. BIND_NOTIFICATION_LISTENER_SERVICE | Manifest.permission | Android Developers. https:\/\/developer.android.com\/reference\/android\/Manifest.permission#BIND_NOTIFICATION_LISTENER_SERVICE"},{"key":"e_1_2_1_12_1","unstructured":"2024. Gift Offer Results APK (Android App) - Free Download. https:\/\/apkcombo.com\/gift-offer-results\/com.magis.app\/"},{"key":"e_1_2_1_13_1","unstructured":"2024. GPT-4o | OpenAI. https:\/\/openai.com\/index\/hello-gpt-4o\/"},{"key":"e_1_2_1_14_1","unstructured":"2024. Jelly Bean | Android Developers. https:\/\/developer.android.com\/about\/versions\/jelly-bean"},{"key":"e_1_2_1_15_1","unstructured":"2024. Market Distribution of the Regular App Dataset | NLRadar. https:\/\/github.com\/security-pride\/NLRadar\/tree\/master\/ApkInfo"},{"key":"e_1_2_1_16_1","unstructured":"2024. NotificationListenerService | Android Developers. https:\/\/developer.android.com\/reference\/android\/service\/notification\/NotificationListenerService"},{"key":"e_1_2_1_17_1","unstructured":"2024. Notifications overview | Android Developers. https:\/\/developer.android.com\/develop\/ui\/views\/notifications"},{"key":"e_1_2_1_18_1","unstructured":"2024. Prompting Questions for Assessing NLS Usage Security and Chain-of-thought Reasoning Example | NLRadar. https:\/\/github.com\/security-pride\/NLRadar\/tree\/master\/NLRadar\/LLM_Evaluation"},{"key":"e_1_2_1_19_1","unstructured":"2024. Save data in a local database using Room - Android Developers. https:\/\/developer.android.com\/training\/data-storage\/room"},{"key":"e_1_2_1_20_1","unstructured":"2024. SharedPreferences | Android Developers. https:\/\/developer.android.com\/training\/data-storage\/shared-preferences"},{"key":"e_1_2_1_21_1","unstructured":"2024. StatusBarNotification | Android Developers. https:\/\/developer.android.com\/reference\/android\/service\/notification\/StatusBarNotification"},{"key":"e_1_2_1_22_1","unstructured":"2024. Using Binder IPC | Android Open Source Project. https:\/\/source.android.com\/docs\/core\/architecture\/hidl\/binder-ipc"},{"key":"e_1_2_1_23_1","unstructured":"2025. Code Snippets of Identified NLS Abuse Examples | NLRadar. https:\/\/github.com\/security-pride\/NLRadar\/tree\/master\/NLRadar\/LLM_Evaluation\/Abuse_Example"},{"key":"e_1_2_1_24_1","unstructured":"2025. deepseek-ai\/DeepSeek-R1. https:\/\/github.com\/deepseek-ai\/DeepSeek-R1"},{"key":"e_1_2_1_25_1","unstructured":"2025. Fiddler B. https:\/\/www.telerik.com\/fiddler-b"},{"key":"e_1_2_1_26_1","unstructured":"2025. GitHub - skylot\/jadx: Dex to Java decompiler. https:\/\/github.com\/skylot\/jadx"},{"key":"e_1_2_1_27_1","unstructured":"2025. Intent | API reference | Android Developers. https:\/\/developer.android.com\/reference\/android\/content\/Intent"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1016\/J.PROCS.2016.04.210"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/2994459.2994469"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2903508"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2666356.2594299"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813652"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3623317"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/CCNC.2016.7444898"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","unstructured":"Kyle Denney A Selcuk Uluagac Hidayet Aksu and Kemal Akkaya. 2018. An Android-Based Covert Channel Framework on Wearables Using Status Bar Notifications. Versatile Cybersecurity 1\u201317. https:\/\/doi.org\/10.1007\/978-3-319-97643-3_1 10.1007\/978-3-319-97643-3_1","DOI":"10.1007\/978-3-319-97643-3_1"},{"key":"e_1_2_1_36_1","volume-title":"22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID","author":"Diao Wenrui","year":"2019","unstructured":"Wenrui Diao, Yue Zhang, Li Zhang, Zhou Li, Fenghao Xu, Xiaorui Pan, Xiangyu Liu, Jian Weng, Kehuan Zhang, and XiaoFeng Wang. 2019. Kindness is a Risky Business: On the Usage of the Accessibility $APIs$ in Android. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). 261\u2013275."},{"key":"e_1_2_1_37_1","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Dong Zikan","year":"2024","unstructured":"Zikan Dong, Tianming Liu, Jiapeng Deng, Li Li, Minghui Yang, Meng Wang, Guosheng Xu, and Guoai Xu. 2024. Exploring Covert Third-party Identifiers through External Storage in the Android New Era. In 33rd USENIX Security Symposium (USENIX Security 24). 4535\u20134552."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3695988"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1155\/2018\/8510256"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660295"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-05149-9_8"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.48"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970277"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660302"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3643730"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2019.00017"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN58367.2023.00017"},{"key":"e_1_2_1_48_1","volume-title":"Measuring the Logging of Sensitive Information in the Android Ecosystem. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Lyons Allan","year":"2023","unstructured":"Allan Lyons, Julien Gamba, Austin Shawaga, Joel Reardon, Juan Tapiador, Serge Egelman, and Narseo Vallina-Rodr\u00edguez. 2023. Log:$It\u2019s$ Big,$It\u2019s$ Heavy,$It\u2019s$ Filled with Personal Data! Measuring the Logging of Sensitive Information in the Android Ecosystem. In 32nd USENIX Security Symposium (USENIX Security 23). 2115\u20132132."},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3639187"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2019-0031"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2024.3439095"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23039"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2024-0151"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","unstructured":"Xiaoyu Sun Li Li Tegawend\u00e9 F Bissyand\u00e9 Jacques Klein Damien Octeau and John Grundy. 2020. Taming Reflection: An Essential Step Towards Whole-Program Analysis of Android Apps. ACM Transactions on Software Engineering and Methodology (TOSEM) https:\/\/doi.org\/10.1145\/3440033 10.1145\/3440033","DOI":"10.1145\/3440033"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","unstructured":"Xiaoyu Tan Yongxin Deng Xihe Qiu Weidi Xu Chao Qu Wei Chu Yinghui Xu and Yuan Qi. 2024. Thought-Like-Pro: Enhancing Reasoning of Large Language Models through Self-Driven Prolog-based Chain-of-Though. arXiv preprint arXiv:2407.14562 https:\/\/doi.org\/10.48550\/arXiv.2407.14562 10.48550\/arXiv.2407.14562","DOI":"10.48550\/arXiv.2407.14562"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/1925805.1925818"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/3530906"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3386252"},{"key":"e_1_2_1_59_1","volume-title":"Chi, Quoc V Le, and Denny Zhou","author":"Wei Jason","year":"2022","unstructured":"Jason Wei, Xuezhi Wang, Dale Schuurmans, Maarten Bosma, Fei Xia, Ed Chi, Quoc V Le, and Denny Zhou. 2022. Chain-of-thought prompting elicits reasoning in large language models. Advances in neural information processing systems, 35 (2022), 24824\u201324837."},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970312"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","unstructured":"HanXiang Xu ShenAo Wang Ningke Li Yanjie Zhao Kai Chen Kailong Wang Yang Liu Ting Yu and HaoYu Wang. 2024. Large language models for cyber security: A systematic literature review. arXiv preprint arXiv:2405.04760 https:\/\/doi.org\/10.48550\/arXiv.2405.04760 10.48550\/arXiv.2405.04760","DOI":"10.48550\/arXiv.2405.04760"},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510454.3516864"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00072"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560601"}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3728898","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T16:50:50Z","timestamp":1752684650000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3728898"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,22]]},"references-count":64,"journal-issue":{"issue":"ISSTA","published-print":{"date-parts":[[2025,6,22]]}},"alternative-id":["10.1145\/3728898"],"URL":"https:\/\/doi.org\/10.1145\/3728898","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,22]]}}}