pith. sign in

arxiv: 2604.27830 · v1 · submitted 2026-04-30 · 💻 cs.CR

WOOTdroid: Whole-system Online On-device Tracing for Android

Simon Althaus (1) , Nikolaos Alexopoulos (2) , Max M\"uhlh\"auser (1) , Christian Reuter (1) , Ephraim Zimmer (1) ((1) Technical University of Darmstadt , (2) Athens University of Economics , Business) This is my paper

Pith reviewed 2026-05-07 06:55 UTC · model grok-4.3

classification 💻 cs.CR
keywords AndroideBPFBindersystem tracingsyscall auditingsecurity monitoringon-device analysisIPC decoding
0
0 comments X

The pith

WOOTdroid enables whole-system tracing on stock Android without OS or app modifications.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Android auditing loses syscall events under load and cannot see high-level behavior because Binder IPC parcels carry no method names or arguments. WOOTdroid solves both issues on unmodified devices by running an eBPF version of syscall auditing and by capturing Binder parcels inside the kernel then decoding them outside the process against a signature table built with Java reflection. The prototype runs on Pixel 9 devices with Android 16, traces more syscalls than ftrace, and reconstructs ten security-relevant Binder transactions with low overhead. A reader would care because the approach works without root, platform forks, or instrumented apps that sophisticated code can bypass.

Core claim

WOOTdroid is a design and prototype for on-device tracing on stock Android. WDSys ports syscall auditing to eBPF and records 33 percent more syscalls than ftrace with at most 3.6 percent Geekbench overhead. WDBind captures Binder parcels at the kernel level and decodes them out-of-process against a framework signature table extracted via Java reflection. The system is demonstrated by reconstructing ten security-relevant Binder transactions on Pixel 9 devices running Android 16.

What carries the argument

WDSys (eBPF syscall auditing) combined with WDBind (kernel-level Binder parcel capture decoded out-of-process against a Java-reflection signature table).

If this is right

  • Traces 33 percent more syscalls than ftrace without the event loss that affects earlier tracers.
  • Decodes Binder parcels to reveal method names and arguments without instrumenting the traced application.
  • Runs on current stock Android versions such as 16 on Pixel 9 without any platform changes.
  • Reconstructs end-to-end security-relevant IPC transactions from low-level kernel events.
  • Keeps overhead low enough for on-device use, at most 3.6 percent on Geekbench.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same kernel-capture and out-of-process decoding pattern could be applied to other Android IPC channels or to similar mechanisms on other mobile platforms.
  • Reflection-based signature extraction could be reused by dynamic analysis tools that also need to interpret Binder traffic.
  • Running the decoder in a separate process reduces the chance that a malicious application can tamper with the trace output.
  • Wider deployment on additional device models would test whether the eBPF hooks remain stable across kernel variants.

Load-bearing premise

An eBPF port of syscall auditing plus reliable kernel Binder capture and accurate out-of-process decoding against a Java reflection signature table can be implemented on unmodified stock Android kernels and frameworks.

What would settle it

Observing significant syscall event loss under load or systematic failure to decode known Binder parcels correctly on a stock Pixel 9 device running Android 16 would show the claims do not hold.

Figures

Figures reproduced from arXiv: 2604.27830 by (2) Athens University of Economics, Business), Christian Reuter (1), Ephraim Zimmer (1) ((1) Technical University of Darmstadt, Max M\"uhlh\"auser (1), Nikolaos Alexopoulos (2), Simon Althaus (1).

Figure 1
Figure 1. Figure 1: Two paths for sending an SMS via Binder and three instrumentation vantage points. Left: a benign app uses the Android SDK, passing through the framework and libbinder. Right: an evasive app constructs the parcel in native code [30] and calls ioctl directly, bypassing the framework. Both paths produce identical bytes at the ioctl boundary. BPFroid’s [13] eBPF uprobes on framework API methods and binder-trac… view at source ↗
Figure 2
Figure 2. Figure 2: Architecture of WOOTdroid. Applications run unmodified. Two eBPF pro￾grams in the kernel (WDSys and WDBind) attach to the raw_syscalls tracepoint and emit events through a perf ring buffer to a separate userspace consumer process. The consumer formats syscall log entries (WDSys) and resolves method names and typed arguments for captured Binder transactions (WDBind), using a signature table extracted ahead … view at source ↗
Figure 3
Figure 3. Figure 3: Overview of WDBind with Binder transaction parsing of SMS send example. companion app that is run offline before any tracing to dump this table. At the same time, we obtain a list of such classes by enumerating running system services on the device in question. Specifically, using Java reflection, we obtain the specific $Stub class for a interface in question. We iterate over the declared fields of the cla… view at source ↗
Figure 4
Figure 4. Figure 4: Unique event rates (UER) of WDSys and ftrace across 100 application runs. Completeness Results view at source ↗
Figure 5
Figure 5. Figure 5: Audit record produced by WDBind for an SMS send. The record includes the calling process identity, the resolved method name and typed arguments 6 Discussion and Conclusion 6.1 Discussion Kernel vantage point as a design principle: WOOTdroid demonstrates that capturing Binder transactions at the ioctl boundary provides semantic reconstruction comparable to user-space hooking, without the evasion surface tho… view at source ↗
read the original abstract

System auditing on Android faces two problems. First, existing syscall tracers lose events under load, silently overwriting entries faster than a user space reader can drain them. Second, security-relevant application behavior is mediated through Binder, Android's kernel IPC mechanism, and is therefore hidden from the syscall layer. The Binder parcels that the kernel does see carry no method names or typed arguments, a disconnect between low-level events and high-level behavior known as the semantic gap. Existing approaches address the semantic gap either by modifying the Android platform, making them difficult to adjust to OS updates, or by instrumenting the traced application in user space, which sophisticated adversaries can evade by bypassing the instrumented framework APIs. We present WOOTdroid, a design and prototype for on-device tracing on stock Android that addresses both problems without OS modification or application instrumentation. WDSys, an eBPF port of eAudit-style syscall auditing, runs on current Android with at most 3.6% Geekbench overhead and traces 33% more syscalls than ftrace. WDBind captures Binder parcels in the kernel and decodes them out-of-process against a framework signature table extracted via Java reflection. We demonstrate WOOTdroid on Pixel 9 devices running Android 16 with an end-to-end case study reconstructing ten security-relevant Binder transactions.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper presents WOOTdroid, a whole-system online on-device tracing framework for stock Android. It comprises WDSys, an eBPF port of syscall auditing that prevents event loss under load, and WDBind, which captures Binder parcels at the kernel level and decodes them out-of-process into method names and typed arguments using a signature table extracted via Java reflection. The system requires no OS modifications or application instrumentation. On Pixel 9 devices running Android 16, it reports at most 3.6% overhead on Geekbench, traces 33% more syscalls than ftrace, and demonstrates end-to-end reconstruction of ten security-relevant Binder transactions.

Significance. If the Binder decoding proves reliable and complete, the work would be significant for Android security auditing and forensics. It offers a practical alternative to platform modification or app instrumentation for bridging the semantic gap in Binder IPC while maintaining low overhead via eBPF. The prototype on recent stock hardware (Pixel 9/Android 16) and the concrete performance numbers are strengths that could enable new detection tools for high-level malicious behaviors invisible at the syscall layer alone.

major comments (3)
  1. [§5.2] §5.2 (WDBind evaluation): The case study reconstructs exactly ten security-relevant Binder transactions but reports neither the total number of Binder parcels observed during the workload, the overall decoding success rate, nor quantitative error analysis for complex cases such as nested objects, variable-length arrays, or version-specific types. Reflection-based tables are also inherently incomplete for hidden framework methods and AIDL-generated interfaces; without these metrics the claim that WDBind reliably closes the semantic gap remains unverified.
  2. [§5.1] §5.1 (WDSys evaluation): The claims of at most 3.6% Geekbench overhead and 33% more syscalls than ftrace lack error bars from repeated runs, raw data, or a complete methodology describing the exact workloads, ftrace configuration, event-loss measurement procedure, and duration of each trial. These omissions make the performance advantage difficult to reproduce or compare.
  3. [§4.2] §4.2 (WDBind implementation): The out-of-process decoding relies on a static signature table extracted via Java reflection; the manuscript should explicitly discuss coverage limitations for dynamically generated or app-specific Binder interfaces and any fallback behavior when a parcel cannot be decoded.
minor comments (2)
  1. [Abstract and §5.2] The abstract and evaluation sections would benefit from a brief statement of the total Binder transaction volume observed in the case study to contextualize the ten successful reconstructions.
  2. [§5.1] Figure captions and axis labels in the performance plots should explicitly state the number of runs and any statistical measures used.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment below and will revise the manuscript to improve clarity, completeness, and reproducibility of the evaluation and implementation sections.

read point-by-point responses

  1. Referee: [§5.2] §5.2 (WDBind evaluation): The case study reconstructs exactly ten security-relevant Binder transactions but reports neither the total number of Binder parcels observed during the workload, the overall decoding success rate, nor quantitative error analysis for complex cases such as nested objects, variable-length arrays, or version-specific types. Reflection-based tables are also inherently incomplete for hidden framework methods and AIDL-generated interfaces; without these metrics the claim that WDBind reliably closes the semantic gap remains unverified.

    Authors: We agree that the current case study in §5.2 is limited to demonstrating successful reconstruction of ten specific transactions and does not provide aggregate statistics. In the revised version we will report the total number of Binder parcels observed during the evaluated workload and the corresponding overall decoding success rate. We will also add a quantitative breakdown of decoding errors observed for complex cases (nested objects, variable-length arrays, and version-specific types) drawn from our existing traces. We will further expand the discussion of reflection-based extraction to explicitly acknowledge its incompleteness for hidden framework methods and AIDL-generated interfaces, and we will describe the fallback of logging undecoded raw parcels. These additions will better contextualize the reliability of WDBind for the demonstrated security-relevant transactions. revision: yes

  2. Referee: [§5.1] §5.1 (WDSys evaluation): The claims of at most 3.6% Geekbench overhead and 33% more syscalls than ftrace lack error bars from repeated runs, raw data, or a complete methodology describing the exact workloads, ftrace configuration, event-loss measurement procedure, and duration of each trial. These omissions make the performance advantage difficult to reproduce or compare.

    Authors: We acknowledge that §5.1 currently omits several details required for full reproducibility. In the revision we will provide a complete methodology subsection that specifies the exact workloads, ftrace configuration parameters, event-loss measurement procedure, and trial durations. We will also add error bars derived from repeated runs and, to the extent the original data permit, make raw performance numbers available as supplementary material. If additional runs are needed to generate statistically robust error bars, we will perform them and update the numbers accordingly. revision: partial

  3. Referee: [§4.2] §4.2 (WDBind implementation): The out-of-process decoding relies on a static signature table extracted via Java reflection; the manuscript should explicitly discuss coverage limitations for dynamically generated or app-specific Binder interfaces and any fallback behavior when a parcel cannot be decoded.

    Authors: We will revise §4.2 to include an explicit discussion of the coverage limitations of the static, reflection-derived signature table with respect to dynamically generated Binder interfaces and app-specific AIDL interfaces. We will also document the fallback behavior: when no matching signature is found, the system logs the raw parcel bytes for offline inspection rather than dropping the event. revision: yes

Circularity Check

0 steps flagged

No significant circularity; claims rest on implementation measurements and case study

full rationale

The paper presents a system design and prototype (WOOTdroid with WDSys eBPF syscall auditing and WDBind kernel-level Binder parcel capture plus out-of-process decoding) for stock Android without OS changes or app instrumentation. All load-bearing claims are supported by direct empirical results: at most 3.6% Geekbench overhead, 33% more syscalls than ftrace, and an end-to-end case study reconstructing exactly ten security-relevant Binder transactions on Pixel 9/Android 16. No equations, fitted parameters, self-citations, uniqueness theorems, or ansatzes appear in the derivation chain. The central claims do not reduce to self-defined quantities or inputs by construction; they are evaluated through concrete implementation and measurement, which is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 2 invented entities

The central claim rests on two domain assumptions about eBPF availability and Binder decoding fidelity on stock Android plus two new system components introduced by the paper. No free parameters or fitted constants are mentioned in the abstract.

axioms (2)
  • domain assumption eBPF is available and sufficiently functional on current Android kernels to support a port of eAudit-style syscall auditing without kernel modifications.
    Required for WDSys to run on stock Android with the reported overhead and event capture rate.
  • domain assumption Binder parcels captured in the kernel can be decoded accurately out-of-process using a signature table extracted via Java reflection from the Android framework.
    Central to WDBind bridging the semantic gap without platform changes.
invented entities (2)
  • WDSys no independent evidence
    purpose: eBPF-based whole-system syscall tracer for Android
    New component presented as an eBPF port of eAudit-style auditing.
  • WDBind no independent evidence
    purpose: Kernel-level Binder parcel capturer with out-of-process decoding
    New component introduced to address the semantic gap for security-relevant IPC.

pith-pipeline@v0.9.0 · 5576 in / 1615 out tokens · 72944 ms · 2026-05-07T06:55:02.895799+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

51 extracted references · 13 canonical work pages

  1. [1]

    APK Auditor: Permission-based Android Malware Detection System

    K. A. Talha et al. “APK Auditor: Permission-based Android Malware Detection System”. en. In:Digital Investigation13 (June 2015), pp. 1–14. issn: 17422876.doi:10.1016/j.diin.2015.01.001

    work page doi:10.1016/j.diin.2015.01.001 2015

  2. [2]

    FSDroid:- A Feature Selection Technique to Detect Malware from Android Using Machine Learning Techniques

    A. Mahindru and A. Sangal. “FSDroid:- A Feature Selection Technique to Detect Malware from Android Using Machine Learning Techniques”. In:Multimedia Tools and Applications80.9 (2021), pp. 13271–13323. issn: 1380-7501.doi:10.1007/s11042-020-10367-w. PMID:33462535

    work page doi:10.1007/s11042-020-10367-w 2021

  3. [3]

    PermDroid a Framework Developed Using Proposed Feature Selection Approach and Machine Learning Techniques for An- droid Malware Detection

    A. Mahindru et al. “PermDroid a Framework Developed Using Proposed Feature Selection Approach and Machine Learning Techniques for An- droid Malware Detection”. en. In:Scientific Reports14.1 (May 10, 2024), p. 10724.issn: 2045-2322.doi:10.1038/s41598-024-60982-y

    work page doi:10.1038/s41598-024-60982-y 2024

  4. [4]

    A Study of Feature Selection Methods for Android Malware Detection

    D. Kshirsagar and P. Agrawal. “A Study of Feature Selection Methods for Android Malware Detection”. In:Journal of Information and Opti- mization Sciences43.8 (Nov. 17, 2022), pp. 2111–2120.issn: 0252-2667. doi:10.1080/02522667.2022.2133218

    work page doi:10.1080/02522667.2022.2133218 2022

  5. [5]

    The Android Platform Security Model

    R. Mayrhofer et al. “The Android Platform Security Model”. In:ACM Trans. Priv. Secur.24.3 (2021), 19:1–19:35.doi:10.1145/3448609.url: https://doi.org/10.1145/3448609

    work page doi:10.1145/3448609.url: 2021

  6. [6]

    Android Permissions: Evolution, Attacks, and Best Prac- tices

    G. S. Tuncay. “Android Permissions: Evolution, Attacks, and Best Prac- tices”. In:IEEE Security and Privacy22.6 (Nov. 1, 2024), pp. 40–49. issn: 1540-7993.doi:10.1109/MSEC.2024.3461629

    work page doi:10.1109/msec.2024.3461629 2024

  7. [7]

    Arntz.Android Threats Rise Sharply, with Mobile Malware Jumping by 151% since Start of Year

    P. Arntz.Android Threats Rise Sharply, with Mobile Malware Jumping by 151% since Start of Year. en. Malwarebytes. June 30, 2025.url:htt ps://www.malwarebytes.com/blog/news/2025/06/android-threats- rise-sharply-with-mobile-malware-jumping-by-151-since-start- of-year(visited on 09/09/2025)

    2025

  8. [8]

    Available: https://doi.org/10.1109/SP54263.2024.00254

    R. Sekar et al. “eAUDIT: A Fast, Scalable and Deployable Audit Data Collection System”. In:2024 IEEE Symposium on Security and Pri- vacy (SP). Los Alamitos, CA, USA: IEEE Computer Society, May 2024, pp. 90–90.doi:10.1109/SP54263.2024.00087

    work page doi:10.1109/sp54263.2024.00087 2024

  9. [9]

    SoK: History Is a Vast Early Warning System: Au- diting the Provenance of System Intrusions

    M. A. Inam et al. “SoK: History Is a Vast Early Warning System: Au- diting the Provenance of System Intrusions”. In:44th IEEE Symposium on Security and Privacy, SP 2023, San Francisco, CA, USA, May 21- 25, 2023. IEEE, 2023, pp. 2620–2638.doi:10 . 1109 / SP46215 . 2023 . 10179405

    2023

  10. [10]

    net/man/8/auditd(visited on 04/17/2026)

    Auditd(8): Audit Daemon - Linux Man Page.url:https://linux.die. net/man/8/auditd(visited on 04/17/2026)

    2026

  11. [11]

    Gordon et al.ClearScope: Full Stack Provenance Graph Generation for Transparent Computing on Mobile Devices

    M. Gordon et al.ClearScope: Full Stack Provenance Graph Generation for Transparent Computing on Mobile Devices. Final Technical Report AFRL-RY-WP-TR-2020-0013. DTIC Accession Number: AD1103275. Air Force Research Laboratory, Sensors Directorate, Wright-Patterson AFB OH, July 2020.url: https://apps.dtic.mil/sti/citations/ AD1103275. 22 Althaus et al

    2020

  12. [12]

    Foundry Zero, Sept

    Foundryzero/Binder-Trace. Foundry Zero, Sept. 17, 2025.url:https: //github.com/foundryzero/binder-trace(visited on 09/19/2025)

    2025

  13. [13]

    BPFroid: Robust Real Time Android Mal- ware Detection Framework

    Y. Agman and D. Hendler. “BPFroid: Robust Real Time Android Mal- ware Detection Framework”. In:CoRRabs/2105.14344 (2021). arXiv: 2105.14344

    work page arXiv 2021

  14. [14]

    CopperDroid: Automatic Reconstruction of Android Mal- ware Behaviors

    K. Tam et al. “CopperDroid: Automatic Reconstruction of Android Mal- ware Behaviors”. In:22nd Annual Network and Distributed System Se- curity Symposium, NDSS 2015, San Diego, California, USA, February 8-11, 2015. The Internet Society, 2015

    2015

  15. [15]

    Unmasking the Veiled: A Comprehensive Analysis of Android Evasive Malware

    A. Ruggia et al. “Unmasking the Veiled: A Comprehensive Analysis of Android Evasive Malware”. In:Proceedings of the 19th ACM Asia Conference on Computer and Communications Security. ASIA CCS ’24. New York, NY, USA: Association for Computing Machinery, July 1, 2024, pp. 383–398.isbn: 979-8-4007-0482-6.doi:10 . 1145 / 3634737 . 3637658

    2024

  16. [16]

    Warren.Major Windows BSOD Issue Hits Banks, Airlines, and TV Broadcasters

    T. Warren.Major Windows BSOD Issue Hits Banks, Airlines, and TV Broadcasters. https : / / www . theverge . com / 2024 / 7 / 19 / 24201717 / windows - bsod - crowdstrike - outage - issue. July 2024. (Visited on 10/20/2025)

    2024

  17. [17]

    (Visited on 10/20/2025)

    No More Blue Fridays.https://www.brendangregg.com/blog/2024- 07-22/no-more-blue-fridays.html. (Visited on 10/20/2025)

    2024

  18. [18]

    Levin.Power User’s View

    J. Levin.Power User’s View. 2nd edition. Vol. 1. Android Internals. New Jersey: Technologeeks Press, 2021.isbn: 978-0-9910555-4-8

    2021

  19. [19]

    Levin.Developer’s View

    J. Levin.Developer’s View. Vol. 2. Android Internals. New Jersey: Tech- nologeeks Press, 2022.isbn: 978-0-9910555-4-8

    2022

  20. [20]

    Android Provenance: Diagnosing Device Disorders

    N. Husted et al. “Android Provenance: Diagnosing Device Disorders”. In:5th Workshop on the Theory and Practice of Provenance, TaPP’13, Lombard, IL, USA, April 2-3, 2013. Ed. by A. Meliou and V. Tannen. USENIX Association, 2013

    2013

  21. [21]

    TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones

    W. Enck et al. “TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones”. In:Commun. ACM57.3 (2014), pp. 99–106.doi:10.1145/2494522.url: https://doi.org/10. 1145/2494522

    work page doi:10.1145/2494522.url: 2014

  22. [22]

    TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime

    M. Sun et al. “TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime”. In:Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Secu- rity, Vienna, Austria, October 24-28, 2016. Ed. by E. R. Weippl et al. ACM, 2016, pp. 331–342.doi:10.1145/2976749.2978343.url: https: //doi.org/10.1145/2976749.2978343

    work page doi:10.1145/2976749.2978343.url: 2016

  23. [23]

    R. Whitwam.Google makes Android development private, will continue open source releases.https://arstechnica.com/gadgets/2025/03/ google-makes-android-development-private-will-continue-open- source-releases/. Mar. 2025. (Visited on 11/12/2025). WOOTdroid 23

    2025

  24. [24]

    F. Z. Ltd.Binder Tracing Part 2 - Extracting and Parsing the data.htt ps://foundryzero.co.uk/2022/11/14/binder-tracing-part-2.html . Nov. 2022. (Visited on 11/12/2025)

    2022

  25. [25]

    NULL.Null-Luo/Btrace. Oct. 14, 2025.url: https : / / github . com / null-luo/btrace(visited on 10/16/2025)

    2025

  26. [26]

    Exploring Syscall-Based Semantics Reconstruction of An- droid Applications

    D. Nisi et al. “Exploring Syscall-Based Semantics Reconstruction of An- droid Applications”. In:22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019, Chaoyang District, Bei- jing, China, September 23-25, 2019. USENIX Association, 2019, pp. 517– 531

    2019

  27. [27]

    Alexopoulos et al.SliceDroid: Towards Reconstructing Android Ap- plication I/O Behaviors from Kernel Traces

    N. Alexopoulos et al.SliceDroid: Towards Reconstructing Android Ap- plication I/O Behaviors from Kernel Traces. Zenodo, Aug. 2025.doi: 10.5281/zenodo.16745322

    work page doi:10.5281/zenodo.16745322 2025

  28. [28]

    Anarkulov et al.Choose Your Fighter: A New Stage in the Evolution of Android SMS Stealers in Uzbekistan

    A. Anarkulov et al.Choose Your Fighter: A New Stage in the Evolution of Android SMS Stealers in Uzbekistan. Group-IB. Dec. 19, 2025.url: https://www.group- ib.com/blog/mobile- malware- uzbekistan/ (visited on 04/13/2026)

    2025

  29. [29]

    The Dark Side of Native Code on Android

    A. Ruggia et al. “The Dark Side of Native Code on Android”. In:ACM Transactions on Privacy and Security28.2 (Feb. 2025), 13:1–13:33.doi: 10.1145/3712308.url:https://doi.org/10.1145/3712308

    work page doi:10.1145/3712308.url:https://doi.org/10.1145/3712308 2025

  30. [30]

    Beyond Java: Obfuscating Android Apps with Purely Native Code

    L. Kirk. “Beyond Java: Obfuscating Android Apps with Purely Native Code”. In:Troopers Security Conference (Troopers23). Slides available at https://troopers.de/downloads/troopers23/TR23_BeyondJava.pdf; proof-of-concept code at https://github.com/LaurieWired/AndroidPurelyNative_- Troopers23. Heidelberg, Germany, June 2023.url:https://troopers. de/troopers2...

    2023

  31. [31]

    Unpacking the Packed Unpacker: Reversing an Android Anti- Analysis Native Library

    M. Stone. “Unpacking the Packed Unpacker: Reversing an Android Anti- Analysis Native Library”. In:Proceedings of the 28th Virus Bulletin In- ternational Conference (VB2018). Montreal, Canada: Virus Bulletin Ltd., Oct. 2018.url: https : / / www . virusbulletin . com / uploads / pdf / magazine/2018/VB2018-Stone.pdf(visited on 04/13/2026)

    2018

  32. [32]

    Binder.c - Android Code Search.url:https : / / cs . android . com / android/kernel/superproject/+/common-android-mainline:common/ drivers/android/binder.c;l=5647?q=binder_ioctl_write_read&sq= (visited on 04/17/2026)

    2026

  33. [33]

    Android Open Source Project.url:htt ps://source.android.com/docs/core/architecture/kernel/bpf (visited on 04/17/2026)

    Extend the Kernel with eBPF. Android Open Source Project.url:htt ps://source.android.com/docs/core/architecture/kernel/bpf (visited on 04/17/2026)

    2026

  34. [34]

    Android Open Source Project.url:https : / / source.android.com/docs/setup/build/building- pixel- kernels (visited on 04/17/2026)

    Build Pixel Kernels. Android Open Source Project.url:https : / / source.android.com/docs/setup/build/building- pixel- kernels (visited on 04/17/2026)

    2026

  35. [35]

    IO Visor Project, Apr

    Iovisor/Bcc. IO Visor Project, Apr. 16, 2026.url:https : / / github . com/iovisor/bcc(visited on 04/17/2026). 24 Althaus et al

    2026

  36. [36]

    Meta Experimental, Apr

    Facebookexperimental/ExtendedAndroidTools. Meta Experimental, Apr. 10, 2026.url: https://github.com/facebookexperimental/ExtendedAnd roidTools(visited on 04/17/2026)

    2026

  37. [37]

    Joel.Joelagnel/Adeb. Jan. 1, 2026.url: https://github.com/joelagne l/adeb(visited on 04/17/2026)

    2026

  38. [38]

    weishu.Tiann/Eadb. Apr. 10, 2026.url: https://github.com/tiann/ eadb(visited on 04/17/2026)

    2026

  39. [39]

    BPF Ring Buffer — The Linux Kernel Documentation.url:https : //www.kernel.org/doc/html/next/bpf/ringbuf.html (visited on 04/17/2026)

    2026

  40. [40]

    Android Devel- opers.url: https://developer.android.com/ndk/guides/arm- mte (visited on 04/17/2026)

    Arm Memory Tagging Extension (MTE) | Android NDK. Android Devel- opers.url: https://developer.android.com/ndk/guides/arm- mte (visited on 04/17/2026)

    2026

  41. [41]

    Android Open Source Project.url: https : / / source

    Arm Memory Tagging Extension. Android Open Source Project.url: https : / / source . android . com / docs / security / test / memory - safety/arm-mte(visited on 04/17/2026)

    2026

  42. [42]

    Wu.Topjohnwu/Magisk

    J. Wu.Topjohnwu/Magisk. Apr. 17, 2026.url: https://github.com/ topjohnwu/Magisk(visited on 04/17/2026)

    2026

  43. [43]

    Rethinking Process Management for Interactive Mobile Systems

    J. Zheng et al. “Rethinking Process Management for Interactive Mobile Systems”. In:Proceedings of the 30th Annual International Conference on Mobile Computing and Networking, ACM MobiCom 2024, Washing- ton D.C., DC, USA, November 18-22, 2024. Ed. by W. Shi et al. ACM, 2024, pp. 215–229.doi:10.1145/3636534.3649357

    work page doi:10.1145/3636534.3649357 2024

  44. [44]

    Peep With A Mirror: Breaking The Integrity of Android App Sandboxing via Unprivileged Cache Side Channel

    Y. Lin et al. “Peep With A Mirror: Breaking The Integrity of Android App Sandboxing via Unprivileged Cache Side Channel”. In:33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, PA, USA, August 14-16, 2024. Ed. by D. Balzarotti and W. Xu. USENIX As- sociation, 2024.url: https : / / www . usenix . org / conference / usenixsecurity24/presenta...

    2024

  45. [45]

    Geekbench 6 - Cross-Platform Benchmark.url:https://www.geekbenc h.com/(visited on 04/17/2026)

    2026

  46. [46]

    D. T. Milano.Dtmilano/AndroidViewClient. Apr. 13, 2026.url:https: //github.com/dtmilano/AndroidViewClient(visited on 04/17/2026)

    2026

  47. [47]

    Android Developers

    UI/Application Exerciser Monkey | Android Studio. Android Developers. url: https://developer.android.com/studio/test/other-testing- tools/monkey(visited on 04/17/2026)

    2026

  48. [48]

    Olano.Facundoolano/Google-Play-Scraper

    F. Olano.Facundoolano/Google-Play-Scraper. Apr. 15, 2026.url:https: / / github . com / facundoolano / google - play - scraper(visited on 04/17/2026)

    2026

  49. [49]

    Electronic Frontier Foundation, Apr

    EFForg/Apkeep. Electronic Frontier Foundation, Apr. 16, 2026.url: https://github.com/EFForg/apkeep(visited on 04/17/2026)

    2026

  50. [50]

    Android Developers.url:https: //developer.android.com/build/configure-apk-splits (visited on 04/17/2026)

    Build Multiple APKs | Android Studio. Android Developers.url:https: //developer.android.com/build/configure-apk-splits (visited on 04/17/2026). WOOTdroid 25

    2026

  51. [51]

    A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks

    S. Rasthofer et al. “A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks”. In:21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, Califor- nia, USA, February 23-26, 2014. The Internet Society, 2014.url:https: //www.ndss-symposium.org/ndss2014/machine-learning-approach- classifying-and-cat...

    2014