{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:49Z","timestamp":1777806109959,"version":"3.51.4"},"reference-count":47,"publisher":"SAGE Publications","issue":"2","license":[{"start":{"date-parts":[[2020,1,6]],"date-time":"2020-01-06T00:00:00Z","timestamp":1578268800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2020,3,17]]},"abstract":"<jats:p>Many Android apps today face problems such as the large application package (APK) size, frequent updates, and so on. The Android plugin technology provides a solution for app developers, allowing a running app to dynamically load and execute a separate APK file without installing it in the system. These dynamically loaded APKs are called plugins. In Android app markets, many multi-instance apps abuse this technology to load normal social apps as plugins. While satisfying the users\u2019 demand for logging into multiple accounts simultaneously, it brings new security threats to the legitimate apps. Sensitive API invocations can be hijacked and private data becomes accessible to malicious multi-instance apps. Therefore, identifying the running environments becomes necessary. In this paper, we propose a novel detection mechanism, named PluginAssassin, to identify whether an app is running as a plugin. PluginAssassin uses the time ratio of different activity launching procedures to determine the running environment, conforming to the observed time lag contradiction phenomenon. We also present a mitigation mechanism for the [Formula: see text] attack specific to our approach. We collect 50 multi-instance apps from two app markets and implement PluginAssassin in five popular social apps. We assess the effectiveness on three devices and the experimental results show that PluginAssassin can detect plugin environments effectively.<\/jats:p>","DOI":"10.3233\/jcs-191325","type":"journal-article","created":{"date-parts":[[2020,1,17]],"date-time":"2020-01-17T09:30:36Z","timestamp":1579253436000},"page":"269-293","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":5,"title":["Do not jail my app: Detecting the Android plugin environments by time lag contradiction"],"prefix":"10.1177","volume":"28","author":[{"given":"Yifang","family":"Wu","sequence":"first","affiliation":[{"name":"School of Information, Renmin University of China, Beijing, China"},{"name":"Key Laboratory of DEKE, Renmin University of China, MOE, China. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Jianjun","family":"Huang","sequence":"additional","affiliation":[{"name":"School of Information, Renmin University of China, Beijing, China"},{"name":"Key Laboratory of DEKE, Renmin University of China, MOE, China. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Bin","family":"Liang","sequence":"additional","affiliation":[{"name":"School of Information, Renmin University of China, Beijing, China"},{"name":"Key Laboratory of DEKE, Renmin University of China, MOE, China. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}]},{"given":"Wenchang","family":"Shi","sequence":"additional","affiliation":[{"name":"School of Information, Renmin University of China, Beijing, China"},{"name":"Key Laboratory of DEKE, Renmin University of China, MOE, China. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}]}],"member":"179","published-online":{"date-parts":[[2020,1,6]]},"reference":[{"key":"ref001","unstructured":"Android App Bundle, https:\/\/developer.android.com\/platform\/technology\/app-bundle."},{"key":"ref002","unstructured":"Android Binder, https:\/\/www.nds.ruhr-uni-bochum.de\/media\/attachments\/files\/2011\/10\/main.pdf."},{"key":"ref003","unstructured":"Android Platform Architecture, https:\/\/developer.android.com\/guide\/platform."},{"key":"ref004","unstructured":"Android Sandbox, https:\/\/source.android.com\/security\/app-sandbox."},{"key":"ref005","unstructured":"ApkTool: A tool for reverse engineering Android apk files, https:\/\/ibotpeaches.github.io\/Apktool."},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"A.\u00a0Bacci, A.\u00a0Bartoli, F.\u00a0Martinelli, E.\u00a0Medvet and F.\u00a0Mercaldo, Detection of obfuscation techniques in Android applications, in: Proceedings of the 13th International Conference on Availability, Reliability and Security, ACM, 2018, p.\u00a057.","DOI":"10.1145\/3230833.3232823"},{"key":"ref007","unstructured":"Baidu, http:\/\/mo.baidu.com."},{"key":"ref008","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40667-1_11"},{"key":"ref009","doi-asserted-by":"crossref","unstructured":"I.\u00a0Burguera, U.\u00a0Zurutuza and S.\u00a0Nadjm-Tehrani, Crowdroid: Behavior-based malware detection system for Android, in: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, ACM, 2011, pp.\u00a015\u201326.","DOI":"10.1145\/2046614.2046619"},{"key":"ref010","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2008.4630086"},{"key":"ref011","unstructured":"Content change notifications in Android Oreo, https:\/\/developer.android.com\/about\/versions\/oreo\/android-8.0-changes#ccn."},{"key":"ref012","doi-asserted-by":"publisher","DOI":"10.1145\/2939918.2939926"},{"key":"ref013","unstructured":"DroidPlugin framework, https:\/\/github.com\/Qihoo360\/DroidPlugin."},{"key":"ref014","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Duan, M.\u00a0Zhang, A.V.\u00a0Bhaskar, H.\u00a0Yin, X.\u00a0Pan, T.\u00a0Li, X.\u00a0Wang and X.\u00a0Wang, Things you may not know about Android (un) packers: A systematic study based on whole-system emulation, in: 25th Annual Network and Distributed System Security Symposium, NDSS, 2018, pp.\u00a018\u201321.","DOI":"10.14722\/ndss.2018.23296"},{"key":"ref015","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"ref016","doi-asserted-by":"crossref","unstructured":"L.\u00a0Falsina, Y.\u00a0Fratantonio, S.\u00a0Zanero, C.\u00a0Kruegel, G.\u00a0Vigna and F.\u00a0Maggi, Grab\u2019n run: Secure and practical dynamic code loading for Android applications, in: Proceedings of the 31st Annual Computer Security Applications Conference, ACM, 2015, pp.\u00a0201\u2013210.","DOI":"10.1145\/2818000.2818042"},{"key":"ref017","unstructured":"G.\u00a0Ho, D.\u00a0Boneh, L.\u00a0Ballard and N.\u00a0Provos, Tick tock: Building browser red pills from timing side channels, in: 8th USENIX Workshop on Offensive Technologies (WOOT 14), 2014."},{"key":"ref018","unstructured":"Instagram, https:\/\/www.instagram.com."},{"key":"ref019","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Jing, Z.\u00a0Zhao, G.J.\u00a0Ahn and H.\u00a0Hu, Morpheus: Automatically generating heuristics to detect Android emulators, in: Proceedings of the 30th Annual Computer Security Applications Conference, ACM, 2014, pp.\u00a0216\u2013225.","DOI":"10.1145\/2664243.2664250"},{"key":"ref020","unstructured":"JobScheduler improvements in Android Oreo, https:\/\/developer.android.com\/about\/versions\/oreo\/android-8.0#jobscheduler."},{"key":"ref021","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-03783-7_10"},{"key":"ref022","unstructured":"LINE, https:\/\/line.me\/en."},{"key":"ref023","unstructured":"T.\u00a0Luo, C.\u00a0Zheng, Z.\u00a0Xu and X.\u00a0Ouyang, Anti-plugin: Don\u2019t let your app play as an Android plugin, in: Proceedings of Blackhat Asia, 2017."},{"key":"ref024","unstructured":"Parallel Space, https:\/\/play.google.com\/store\/apps\/details?id=com.lbe.parallel.intl."},{"key":"ref025","doi-asserted-by":"crossref","unstructured":"T.\u00a0Petsas, G.\u00a0Voyatzis, E.\u00a0Athanasopoulos, M.\u00a0Polychronakis and S.\u00a0Ioannidis, Rage against the virtual machine: Hindering dynamic analysis of Android malware, in: Proceedings of the Seventh European Workshop on System Security, ACM, 2014, p.\u00a05.","DOI":"10.1145\/2592791.2592796"},{"key":"ref026","doi-asserted-by":"crossref","unstructured":"S.\u00a0Poeplau, Y.\u00a0Fratantonio, A.\u00a0Bianchi, C.\u00a0Kruegel and G.\u00a0Vigna, Execute this! Analyzing unsafe and malicious dynamic code loading in Android applications, in: NDSS \u201914, 2014, pp.\u00a023\u201326.","DOI":"10.14722\/ndss.2014.23328"},{"key":"ref027","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2017.14"},{"key":"ref028","unstructured":"Restrictions on non-SDK interfaces, https:\/\/developer.android.com\/distribute\/best-practices\/develop\/restrictions-non-sdk-interfaces."},{"key":"ref029","unstructured":"SandDroid, http:\/\/sanddroid.xjtu.edu.cn."},{"key":"ref030","doi-asserted-by":"publisher","DOI":"10.1145\/1095810.1095812"},{"key":"ref031","doi-asserted-by":"publisher","DOI":"10.4236\/jis.2015.63021"},{"key":"ref032","doi-asserted-by":"crossref","unstructured":"M.\u00a0Sun, T.\u00a0Wei and J.\u00a0Lui, Taintart: A practical multi-level information-flow tracking system for Android runtime, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2016, pp.\u00a0331\u2013342.","DOI":"10.1145\/2976749.2978343"},{"key":"ref033","doi-asserted-by":"crossref","unstructured":"S.T.\u00a0Sun, A.\u00a0Cuadros and K.\u00a0Beznosov, Android rooting: Methods, detection, and evasion, in: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, ACM, 2015, pp.\u00a03\u201314.","DOI":"10.1145\/2808117.2808126"},{"key":"ref034","doi-asserted-by":"crossref","unstructured":"K.\u00a0Tam, S.J.\u00a0Khan, A.\u00a0Fattori and L.\u00a0Cavallaro, CopperDroid: Automatic reconstruction of Android malware behaviors, in: NDSS, 2015.","DOI":"10.14722\/ndss.2015.23145"},{"key":"ref035","unstructured":"Threat Intelligence Team, Malware posing as dual instance app steals users\u2019 Twitter credentials, https:\/\/blog.avast.com\/malware-posing-as-dual-instance-app-steals-users-twitter-credentials."},{"key":"ref036","unstructured":"TraceDroid, http:\/\/tracedroid.few.vu.nl."},{"key":"ref037","unstructured":"Twitter, https:\/\/twitter.com."},{"key":"ref038","doi-asserted-by":"crossref","unstructured":"T.\u00a0Vidas and N.\u00a0Christin, Evading Android runtime analysis via sandbox detection, in: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ACM, 2014, pp.\u00a0447\u2013458.","DOI":"10.1145\/2590296.2590325"},{"key":"ref039","unstructured":"VirtualApp framework, https:\/\/github.com\/asLody\/VirtualApp."},{"key":"ref040","unstructured":"VirusTotal, https:\/\/www.virustotal.com."},{"key":"ref041","unstructured":"WeChat, https:\/\/weixin.qq.com."},{"key":"ref042","unstructured":"L.\u00a0Weichselbaum, M.\u00a0Neugschwandtner, M.\u00a0Lindorfer, Y.\u00a0Fratantonio, V.\u00a0van der Veen and C.\u00a0Platzer, Andrubis: Android malware under the magnifying glass, Technical Report TR-ISECLAB-0414-001, Vienna University of Technology, 2014."},{"key":"ref043","unstructured":"WhatsApp, https:\/\/www.whatsapp.com."},{"key":"ref044","unstructured":"L.K.\u00a0Yan and H.\u00a0Yin, DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis, in: Presented as Part of the 21st USENIX Security Symposium (USENIX Security 12), 2012, pp.\u00a0569\u2013584."},{"key":"ref045","doi-asserted-by":"crossref","unstructured":"L.\u00a0Zhang, Z.\u00a0Yang, Y.\u00a0He, M.\u00a0Li, S.\u00a0Yang, M.\u00a0Yang, Y.\u00a0Zhang and Z.\u00a0Qian, App in the middle: Demystify application virtualization in Android and its security threats, Proceedings of the ACM on Measurement and Analysis of Computing Systems 3(1) (2019), 17.","DOI":"10.1145\/3322205.3311088"},{"key":"ref046","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Zhang, X.\u00a0Luo and H.\u00a0Yin, DexHunter: Toward extracting hidden code from packed Android applications, in: European Symposium on Research in Computer Security, Springer, 2015, pp.\u00a0293\u2013311.","DOI":"10.1007\/978-3-319-24177-7_15"},{"key":"ref047","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Zhauniarovich, M.\u00a0Ahmad, O.\u00a0Gadyatskaya, B.\u00a0Crispo and F.\u00a0Massacci, StaDynA: Addressing the problem of dynamic code updates in the security analysis of Android applications, in: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, ACM, 2015, pp.\u00a037\u201348.","DOI":"10.1145\/2699026.2699105"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191325","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-191325","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-191325","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:22Z","timestamp":1777495522000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-191325"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,6]]},"references-count":47,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2020,3,17]]}},"alternative-id":["10.3233\/JCS-191325"],"URL":"https:\/\/doi.org\/10.3233\/jcs-191325","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,1,6]]}}}