pith. sign in

arxiv: 2606.13107 · v1 · pith:OBACYMKTnew · submitted 2026-06-11 · 💻 cs.CR · cs.NI

The Invisible Ink of the Android Malware World: A Longitudinal Study on the Usage of Covert Communication Channels

Pith reviewed 2026-06-27 06:20 UTC · model grok-4.3

classification 💻 cs.CR cs.NI
keywords android malwarecovert channelslongitudinal studyevasion techniquescommand and controlstatic analysisdynamic analysismalware families
0
0 comments X

The pith

Android malware now uses covert channels in half of samples, up from 0.3 percent in 2012.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tracks how Android malware conceals its contact with external servers by routing traffic through proxies, VPNs, and Tor. Researchers ran a combined static and dynamic analysis pipeline across 3.5 million malicious apps collected between 2009 and mid-2025. They identified 288,000 samples from 511 families that employ these hidden channels, with adoption rising exponentially. Some families now combine several channels or cycle between them over time. The findings indicate that a growing share of malware evades detection methods that inspect only direct network traffic.

Core claim

The authors establish that covert channel usage in Android malware has grown exponentially from 0.30 percent of samples in 2012 to 50 percent in 2025. Their pipeline flagged 288,000 APKs across 511 families and recorded contacts with 19,308 unique IP addresses in 85 countries, with explicit validation for 59 addresses in 17 countries. Longitudinal tracking also showed evolving tactics, including families that adopted multiple channels or switched between them up to 40 times in a six-year span.

What carries the argument

A multistage pipeline that applies static validation rules on system and network features followed by dynamic execution monitoring to detect covert channel usage.

If this is right

  • Covert channel adoption has increased exponentially across the 16-year span.
  • Hundreds of malware families now rely on these channels to reach command servers.
  • Some families combine more than one covert channel in a single sample.
  • Other families switch between channels on a periodic schedule.
  • Dynamic analysis traced thousands of contacted IP addresses across dozens of countries.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Detection tools that ignore indirect routing will miss a rising fraction of current malware.
  • The pattern of periodic switching suggests malware authors are already adapting to specific detection signatures.
  • The same analysis approach could be applied to iOS or Windows malware to test whether the trend is platform-specific.

Load-bearing premise

The static validation rules accurately identify covert channel usage with low false positives across the full 3.5 million app corpus.

What would settle it

Manual inspection of several hundred randomly selected apps from the 288,000 flagged set that finds most do not actually route traffic through proxies, VPNs, or Tor.

Figures

Figures reproduced from arXiv: 2606.13107 by Manan Aggarwal, Manan Chugh, Mann Nariya, Sambuddho Chakravarty, Yogesh Kaushik, Zeya Umayya.

Figure 1
Figure 1. Figure 1: Complete Work Pipeline. ⃝1 : Formation of static validation rules that can be applied on APKs using static analysis over them. ⃝2 : Application of channel’s (Tor/VPN/Proxy/TorPT/I2P) rules over APKs from 2009-2025. ⃝3 : Static and dynamic analysis on the dataset. ⃝4 : Results analysis and presentation of the measurement results. 3.2.2. APK inspection to create rules. While searching for keywords in VT repo… view at source ↗
Figure 2
Figure 2. Figure 2: Logcat output in each covert APK [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 4
Figure 4. Figure 4: Yearwise cumulative count of statically validated [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Distribution of APKs across individual CCs and [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Yearwise count of malware APKs in each covert channel. [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Top-25 malware families in our final dataset. [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Malware families using multiple CCs. that uses Tor, VPN and proxy CCs. Similarly, smsreg family uses I2P, VPNs and proxies, as CCs. We present the broader picture of top-25 families along their APK counts in [PITH_FULL_IMAGE:figures/full_fig_p009_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: VT-scores and count of APKs for years from 2020-25. Heatmap for all years is shown in Section A.5. [PITH_FULL_IMAGE:figures/full_fig_p010_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Evolution in the usage of CC by malware APKs from 2020 to 2025. It includes all APKs present atleast [PITH_FULL_IMAGE:figures/full_fig_p010_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Evolution in the usage of 13 CC families present in all years from 2019 to 2024. [PITH_FULL_IMAGE:figures/full_fig_p010_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Dynamic analysis results with respect to validated CC connections. [PITH_FULL_IMAGE:figures/full_fig_p011_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Source code and corresponding logcat output. APKs. Library extraction succeeded in only half the cases (i.e., 3863), each bearing a CC library. Testing these 3863 libraries on 6985 APKs, we found only 39 that appeared in 5482 APKs, alongside a highly suspicious one matching almost every APK (5106)17. It shows the difficulty in handling obfuscated APKs, and the need for efforts to understand packing/obfusc… view at source ↗
Figure 14
Figure 14. Figure 14: VT-scores and yearwise count of APKs. TABLE 4: List of keywords for each covert channel. Covert Channel Keywords Tor dark web, *.onion, tor, torrc, orbot, onion, hid￾den service, tor.apk, tor2web, Ahmia, socks proxy, Tor browser, orxify, TorServices, onion service, Orchid, OnionKit VPN virtual private network, vpn, nord, express, pro￾ton, proxy, outline, zerotier, openvpn, rav vpn, psiphon, v2ray, nymVPN,… view at source ↗
Figure 15
Figure 15. Figure 15: Heatmap of malware families using several [PITH_FULL_IMAGE:figures/full_fig_p018_15.png] view at source ↗
Figure 16
Figure 16. Figure 16: Strings/regex to search for in packets. 9) com.fast.free.unblock.secure.vpn, RMP21 10) free.vpn.unblock.proxy.turbovpn, 100M+ 11) com.jrzheng.supervpnfree, RMP 12) com.cloudflare.onedotonedotonedotone, RMP 13) com.fast.free.unblock.thunder.vpn, RMP 14) free.vpn.unblock.proxy.turbovpn.lite, 50M+ 15) octohide.vpn, 10M+ 16) com.expressvpn.vpn, 10M+ 21. RMP: Removed From Playstore [PITH_FULL_IMAGE:figures/fu… view at source ↗
Figure 19
Figure 19. Figure 19: Yearwise percentage of statically validated [PITH_FULL_IMAGE:figures/full_fig_p019_19.png] view at source ↗
Figure 18
Figure 18. Figure 18: Presence of CC services running on (unknown [PITH_FULL_IMAGE:figures/full_fig_p019_18.png] view at source ↗
Figure 21
Figure 21. Figure 21: Top 10 permissions used by malware APKs. [PITH_FULL_IMAGE:figures/full_fig_p020_21.png] view at source ↗
Figure 22
Figure 22. Figure 22: Malware IP connections across the globe. [PITH_FULL_IMAGE:figures/full_fig_p020_22.png] view at source ↗
Figure 23
Figure 23. Figure 23: Frequency of VPN (only top-20) and proxy [PITH_FULL_IMAGE:figures/full_fig_p020_23.png] view at source ↗
read the original abstract

Proxies, VPNs and Tor have long helped the privacy community and users in censored regions to fight censorship. However, the same tools can be maliciously exploited by malware and botnets to conceal their communication to external command and control servers. Despite being a critical concern fueled by the proliferation of malware based attacks, no longitudinal studies have analyzed how malware applications use covert channels (CC) to evade detection. We fill this gap by performing the first study of the usage of covert channels in the Android malware ecosystem. To that end, we develop a multistage pipeline that combines static and dynamic analysis to investigate both system and network-level features. We applied this pipeline on a corpus of 3.5M Android malware spanning 2009 to July 2025. Our carefully crafted static validation rules uncovered 288K APKs that used CCs spanning 511 malware families and CC usage growing exponentially from 0.30\% (2012) to 50\% (2025). Overall, in dynamic analysis, we identified 19,308 unique IP addresses being contacted in 85 countries, out of which we were able to explicitly validate the presence of CCs for 59 IP addresses across 17 countries. Further, we performed a longitudinal dataset study spanning over 16 years for CC based malware and found that CC usage has evolved, \textit{e.g.,} some malware adopted by using more than one CCs; others switched between them periodically (one family switched CC usage 40 times from 2019 to 2025).

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper presents the first longitudinal study of covert channel (CC) usage (proxies, VPNs, Tor) by Android malware for C2 evasion. It describes a multistage static+dynamic analysis pipeline applied to a 3.5M-APK corpus (2009–July 2025) that identifies 288K APKs across 511 families using CCs, with reported exponential growth from 0.30% (2012) to 50% (2025). Dynamic analysis flags 19,308 unique IPs (85 countries), with explicit CC validation for only 59 IPs (17 countries); additional observations include multi-CC adoption and periodic switching within families.

Significance. If the pipeline's static rules prove reliable, the work supplies the first large-scale empirical baseline on CC adoption trends in Android malware, which could guide detection research and policy. The 16-year span and family-level granularity are strengths; however, the absence of any reported precision/recall or false-positive statistics on the static rules means the headline counts and growth curve currently rest on an unverified assumption.

major comments (3)
  1. [Abstract] Abstract: the headline counts (288K APKs, 511 families, 0.30%–50% growth) are produced solely by the 'carefully crafted static validation rules.' No precision, recall, false-positive rate, derivation method, or manual-audit results on any labeled validation set are supplied, rendering the central empirical claims dependent on an untested assumption.
  2. [Abstract / Dynamic Analysis] Dynamic analysis paragraph: only 59 of the 19,308 contacted IPs receive explicit dynamic validation for CC presence. The manuscript must clarify the classification status of the remaining IPs and quantify how static-rule errors would propagate into the reported temporal trend.
  3. [Abstract / Methods] Corpus description: the 3.5M-APK dataset construction (sources, sampling strategy, deduplication, potential selection bias) is not described. Without these details it is impossible to assess whether the observed exponential growth could be an artifact of changing corpus composition over time.
minor comments (2)
  1. [Abstract] The abstract states 'CC usage growing exponentially' but supplies no statistical test or model supporting the functional form; a simple plot or regression would strengthen the claim.
  2. [Abstract] Clarify the exact definition of 'CC' used by the static rules (e.g., which proxy/VPN/Tor libraries or traffic patterns are matched) to allow reproducibility.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their constructive and detailed review. We address each major comment below and will revise the manuscript to incorporate the requested clarifications and additional information.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the headline counts (288K APKs, 511 families, 0.30%–50% growth) are produced solely by the 'carefully crafted static validation rules.' No precision, recall, false-positive rate, derivation method, or manual-audit results on any labeled validation set are supplied, rendering the central empirical claims dependent on an untested assumption.

    Authors: We agree that the abstract does not report precision, recall, or false-positive statistics for the static rules, nor does it detail their derivation or any manual audit. The Methods section describes the rules as derived from known CC library patterns and decompiled samples, but we did not include quantitative validation metrics. We will revise the abstract to reference the rule derivation process and add a new subsection in Methods with the full derivation method and results of our manual audit on a sample of flagged APKs. revision: yes

  2. Referee: [Abstract / Dynamic Analysis] Dynamic analysis paragraph: only 59 of the 19,308 contacted IPs receive explicit dynamic validation for CC presence. The manuscript must clarify the classification status of the remaining IPs and quantify how static-rule errors would propagate into the reported temporal trend.

    Authors: We agree clarification is required. The 19,308 IPs were obtained by executing APKs already flagged by the static rules; only 59 received explicit per-IP CC confirmation via traffic inspection. The remainder are potential CC endpoints identified dynamically but without individual validation. We will update the text to state this distinction explicitly and add a sensitivity discussion quantifying how plausible static-rule error rates would affect the reported growth trend. revision: yes

  3. Referee: [Abstract / Methods] Corpus description: the 3.5M-APK dataset construction (sources, sampling strategy, deduplication, potential selection bias) is not described. Without these details it is impossible to assess whether the observed exponential growth could be an artifact of changing corpus composition over time.

    Authors: The referee is correct that the abstract (and current Methods) does not describe corpus sources, sampling, deduplication, or bias analysis. We will add a dedicated subsection (3.1) detailing the sources (AndroZoo, VirusShare, Contagio), collection criteria, SHA-256 deduplication, family labeling, and a discussion of temporal sampling and potential selection biases, including why the observed trend is unlikely to be explained solely by corpus changes. revision: yes

Circularity Check

0 steps flagged

No circularity in empirical measurement study

full rationale

This is a pure empirical measurement paper that applies a multistage static/dynamic analysis pipeline to a fixed corpus of 3.5M APKs and reports direct counts and trends (288K APKs, 511 families, 0.3% to 50% growth). No equations, fitted parameters, predictions, or derivations appear in the provided text. The reported quantities are outputs of the analysis rules applied to the dataset rather than quantities that reduce to those rules by construction. No self-citation load-bearing steps, uniqueness theorems, or ansatzes are invoked. The absence of reported precision/recall on the rules is a validation concern, not a circularity issue under the defined patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central measurements rest on the assumption that the collected 3.5M APK corpus is representative and that the static validation rules have acceptable accuracy; no free parameters or invented entities are introduced.

axioms (2)
  • domain assumption The 3.5M Android malware corpus spanning 2009-2025 is comprehensive and unbiased for the ecosystem.
    Invoked when reporting percentages and growth trends across the full dataset.
  • domain assumption Static validation rules accurately detect covert channels without substantial false positives.
    Basis for identifying the 288K APKs and 511 families.

pith-pipeline@v0.9.1-grok · 5841 in / 1241 out tokens · 18966 ms · 2026-06-27T06:20:37.703509+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

161 extracted references · 4 canonical work pages · 1 internal anchor

  1. [1]

    Tor: The Second-Generation Onion Router

    R. Dingledine, N. Mathewson, P. F. Syversonet al., “Tor: The Second-Generation Onion Router.” inProceedings of the 13th USENIX Security Symposium, vol. 4, 2004, pp. 303–320

  2. [2]

    Ptperf: On the performance evaluation of tor pluggable transports,

    Z. Umayya, D. Malik, D. Gosain, and P. Kumar Sharma, “Ptperf: On the performance evaluation of tor pluggable transports,” in Proceedings of the ACM Internet Measurement Conference (IMC), 2023, pp. 501–525

  3. [3]

    The invisible internet project,

    I2P, “The invisible internet project,” https://geti2p.net/en/, 2025

  4. [4]

    What is vpn? how it works, types of vpn,

    Kaspersky, “What is vpn? how it works, types of vpn,” https: //www.kaspersky.com/resource-center/definitions/what-is-a-vpn, 2025

  5. [5]

    Domain fronting – a new technique for hiding malware command and control (c2) traffic within a content delivery net- work,

    Balaji, “Domain fronting – a new technique for hiding malware command and control (c2) traffic within a content delivery net- work,” https://gbhackers.com/domain-fronting-a-new-technique -for-hiding-malware-command-and-control-c2-traffic-within-a-c ontent-delivery-network/, 2018

  6. [6]

    New mirai botnet hides c2 server in the tor network to prevent takedowns,

    B. P. Paganini, “New mirai botnet hides c2 server in the tor network to prevent takedowns,” https://securityaffairs.com/89 237/malware/mirai-botnet-tor-c2.html, 2019

  7. [7]

    Not with a bang but a whisper: The shift to stealthy c2,

    N. Warfield, “Not with a bang but a whisper: The shift to stealthy c2,” https://threatpost.com/tactics-attackers-stealthy-c2/176853/, 2021

  8. [8]

    Thousands of hackers flock to ’dark utilities’ c2-as- a-service,

    B. Toulas, “Thousands of hackers flock to ’dark utilities’ c2-as- a-service,” https://www.bleepingcomputer.com/news/security/tho usands-of-hackers-flock-to-dark-utilities-c2-as-a-service/, 2022

  9. [9]

    Attackers leveraging dark utilities

    C. Talos, “Attackers leveraging dark utilities ”c2aas” platform in malware campaigns,” https://blog.talosintelligence.com/dark-utili ties/, 2022

  10. [10]

    Android devices caught in matryosh botnet,

    B. P. Arntz, “Android devices caught in matryosh botnet,” https: //www.malwarebytes.com/blog/news/2021/02/android-devices-c aught-in-matryosh-botnet, 2021

  11. [11]

    Socks5systemz proxy service infects 10,000 sys- tems worldwide,

    B. B. Toulas, “Socks5systemz proxy service infects 10,000 sys- tems worldwide,” https://www.bleepingcomputer.com/news/secu rity/socks5systemz-proxy-service-infects-10-000-systems-world wide/, 2023

  12. [12]

    The leethozer botnet,

    B. Alex.Turing and H. Wang, “The leethozer botnet,” https://blog .netlab.360.com/the-leethozer-botnet-en/, 2020

  13. [13]

    Walking through walls: Four common endpoint tools used to facilitate covert c2,

    B. E. Smith and the Falcon OverWatch Elite Team, “Walking through walls: Four common endpoint tools used to facilitate covert c2,” https://www.crowdstrike.com/en-us/blog/4-com mon-endpoint-tools-used-to-facilitate-covert-c2/, 2023

  14. [14]

    Systembc malware’s c2 server analysis ex- poses payload delivery tricks,

    B. R. Lakshmanan, “Systembc malware’s c2 server analysis ex- poses payload delivery tricks,” https://thehackernews.com/2024/0 1/systembc-malwares-c2-server-analysis.html, 2024

  15. [15]

    New threat: Matryosh botnet is spreading,

    l. By Alex.Turing, Hui Wang, “New threat: Matryosh botnet is spreading,” https://blog.netlab.360.com/matryosh-botnet-is-sprea ding-en/, 2021

  16. [16]

    Blackhat,

    Blackhat, “Blackhat,” https://blackhat.com/us-23/briefings/sched ule/?, 2023

  17. [17]

    Defcon, “Defcon,” https://infocondb.org/con/def-con/def-con-31/, 2023

  18. [18]

    Virustotal api v3 overview,

    VirusTotal, “Virustotal api v3 overview,” https://docs.virustotal. com/reference/overview, 2025

  19. [19]

    Drebin: Effective and explainable detection of android malware in your pocket

    D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and C. Siemens, “Drebin: Effective and explainable detection of android malware in your pocket.” inProceedings of the Network and Distributed System Security Symposium (NDSS), vol. 14, 2014, pp. 23–26

  20. [20]

    Deeprefiner: Multi- layer android malware detection system applying deep neural networks,

    K. Xu, Y . Li, R. H. Deng, and K. Chen, “Deeprefiner: Multi- layer android malware detection system applying deep neural networks,” in2018 Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2018, pp. 473–487

  21. [21]

    Malscan: Fast market-wide mobile malware scanning by social-network centrality analysis,

    Y . Wu, X. Li, D. Zou, W. Yang, X. Zhang, and H. Jin, “Malscan: Fast market-wide mobile malware scanning by social-network centrality analysis,” inProceedings of the IEEE/ACM Interna- tional Conference on Automated Software Engineering (ASE). IEEE, 2019, pp. 139–150

  22. [22]

    Exposing the rat in the tunnel: Using traffic analysis for tor-based malware detection,

    P. Dodia, M. AlSabah, O. Alrawi, and T. Wang, “Exposing the rat in the tunnel: Using traffic analysis for tor-based malware detection,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022, pp. 875–889

  23. [23]

    Avclass2: Massive malware tag extraction from av labels,

    S. Sebasti ´an and J. Caballero, “Avclass2: Massive malware tag extraction from av labels,” inProceedings of the 36th Annual Computer Security Applications Conference (ACSAC), 2020, pp. 42–53

  24. [24]

    Androzoo: A retrospective with a glimpse into the future,

    M. Alecci, P. J. R. Jim ´enez, K. Allix, T. F. Bissyand ´e, and J. Klein, “Androzoo: A retrospective with a glimpse into the future,” inProceedings of the 21st International Conference on Mining Software Repositories (MSR), 2024, pp. 389–393

  25. [25]

    Lib- Scan: Towards more precise third-party library identification,

    Y . Wu, C. Sun, D. Zeng, G. Tan, S. Ma, and P. Wang, “Lib- Scan: Towards more precise third-party library identification,” in Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 3385–3402

  26. [26]

    Research on third-party libraries in android apps: A taxonomy and systematic literature review,

    X. Zhan, T. Liu, L. Fan, L. Li, S. Chen, X. Luo, and Y . Liu, “Research on third-party libraries in android apps: A taxonomy and systematic literature review,”IEEE Transactions on Software Engineering, vol. 48, no. 10, pp. 4181–4213, 2021

  27. [27]

    An empirical study of potentially malicious third-party libraries in android apps,

    Z. Zhang, W. Diao, C. Hu, S. Guo, C. Zuo, and L. Li, “An empirical study of potentially malicious third-party libraries in android apps,” inProceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2020, pp. 144–154

  28. [28]

    Shining a light on dark places: A comprehensive analysis of open proxy ecosystem,

    R. Bian, S. Hao, H. Wang, and C. Cotton, “Shining a light on dark places: A comprehensive analysis of open proxy ecosystem,” Computer Networks, vol. 208, p. 108893, 2022

  29. [29]

    Free proxies unmasked: A vulnerability and longitudinal analysis of free proxy services,

    N. Mehanna, W. Rudametkin, P. Laperdrix, and A. Vastel, “Free proxies unmasked: A vulnerability and longitudinal analysis of free proxy services,”arXiv preprint arXiv:2403.02445, 2024

  30. [30]

    Resident evil: Understanding residential ip proxy as a dark service,

    X. Mi, X. Feng, X. Liao, B. Liu, X. Wang, F. Qian, Z. Li, S. Alrwais, L. Sun, and Y . Liu, “Resident evil: Understanding residential ip proxy as a dark service,” in2019 IEEE Symposium on Security and Privacy (S&P). IEEE, 2019, pp. 1185–1201

  31. [31]

    Your phone is my proxy: Detecting and understanding mobile proxy networks,

    X. Mi, S. Tang, Z. Li, X. Liao, F. Qian, and X. Wang, “Your phone is my proxy: Detecting and understanding mobile proxy networks,” inProceeding of ISOC Network and Distributed Sys- tem Security Symposium (NDSS), 2021

  32. [32]

    Things you may not know about android (un) packers: a systematic study based on whole-system emulation,

    Y . Duan, M. Zhang, A. V . BHASKAR, H. Yin, X. Pan, T. Li, X. Wang, and X. Wang, “Things you may not know about android (un) packers: a systematic study based on whole-system emulation,” inProceedings of the Network and Distributed System Security Symposium (NDSS), 2018

  33. [33]

    An overview of techniques for obfuscated android malware detection,

    S. Siddiqui and T. A. Khan, “An overview of techniques for obfuscated android malware detection,”SN Computer Science, vol. 5, no. 4, p. 328, 2024

  34. [34]

    Accurate and efficient code matching across android application versions against obfuscation,

    R. Feng, Z. Zhang, Y . Zhou, Z. Yan, and Y . Zhang, “Accurate and efficient code matching across android application versions against obfuscation,” inProceedings of the 2024 IEEE Interna- tional Conference on Software Analysis, Evolution and Reengi- neering (SANER). IEEE, 2024, pp. 204–215

  35. [35]

    Unmasking the veiled: A comprehensive analysis of android evasive malware,

    A. Ruggia, D. Nisi, S. Dambra, A. Merlo, D. Balzarotti, and S. Aonzo, “Unmasking the veiled: A comprehensive analysis of android evasive malware,” inProceedings of the 19th ACM Asia Conference on Computer and Communications Security (CCS), 2024, pp. 383–398

  36. [36]

    Mbc-breakdown,

    MBC, “Mbc-breakdown,” https://github.com/MBCProject/mbc-m arkdown/tree/main/anti-behavioral-analysis, 2025

  37. [37]

    Char- acterizing the vpn ecosystem in the wild,

    A. Maghsoudlou, L. Vermeulen, I. Poese, and O. Gasser, “Char- acterizing the vpn ecosystem in the wild,” inInternational Con- ference on Passive and Active Network Measurement (PAM). Springer, 2023, pp. 18–45

  38. [38]

    ndpi: Open-source high-speed deep packet inspection,

    L. Deri, M. Martinelli, T. Bujlow, and A. Cardigliano, “ndpi: Open-source high-speed deep packet inspection,” in2014 Inter- national Wireless Communications and Mobile Computing Con- ference (IWCMC). IEEE, 2014, pp. 617–622

  39. [39]

    Androzoo,

    AndroZoo, “Androzoo,” https://androzoo.uni.lu/, 2016

  40. [40]

    An explainable convolutional neural network for dynamic android malware de- tection

    F. Mercaldo, F. Martinelli, A. Santoneet al., “An explainable convolutional neural network for dynamic android malware de- tection.” inProceedings of the The International Conference on Information Systems Security and Privacy (ICISSP), 2023, pp. 305–312

  41. [41]

    Invisible ink codebase,

    Z. Umayya, “Invisible ink codebase,” https://github.com/zeya2u9 /The-Invisible-Ink, 2026

  42. [42]

    Directory authorities,

    Tor, “Directory authorities,” https://community.torproject.org/rel ay/governance/policies-and-proposals/directory-authority/, 2025

  43. [43]

    Sok: Making sense of censorship resistance systems,

    S. Khattak, T. Elahi, L. Simon, C. M. Swanson, S. J. Murdoch, and I. Goldberg, “Sok: Making sense of censorship resistance systems,”Proceedings on Privacy Enhancing Technologies, vol. 2016, no. 4, pp. 37–61, October 2016

  44. [44]

    Scott, P

    C. Scott, P. Wolfe, and M. Erwin,Virtual private networks. ” O’Reilly Media, Inc.”, 1999

  45. [45]

    What is openvpn?

    OpenVPN, “What is openvpn?” https://openvpn.net/faq/what-i s-openvpn/, 2025

  46. [46]

    Wireguard: Next generation kernel network tunnel

    J. A. Donenfeld, “Wireguard: Next generation kernel network tunnel.” inNetwork and Distributed Systems Security Symposium, 2017, pp. 1–12

  47. [47]

    Vpn vs. proxy server: What’s the difference, and which should you be using?

    B. K. S. Blogs, “Vpn vs. proxy server: What’s the difference, and which should you be using?” https://www.kaspersky.com/resour ce-center/preemptive-safety/vpn-vs-proxy-server, 2025

  48. [48]

    Garlic routing,

    I2P, “Garlic routing,” https://geti2p.net/en/docs/how/garlic-routi ng, 2025

  49. [49]

    i2p.android.base,

    ——, “i2p.android.base,” https://github.com/i2p/i2p.android.bas e/tags?after=android-0.9.12-0 b1-API8, 2025

  50. [50]

    Snowflake,

    D. Fifield, “Snowflake,” https://github.com/keroserene/snowflake, 2025

  51. [51]

    N. F. Arlo Breault, Chang Lan, “Meek,” https://github.com/arlol ra/meek, 2014

  52. [52]

    Puzzling gwmndy botnet focuses on low-volume proxy connections,

    B. T. Seals, “Puzzling gwmndy botnet focuses on low-volume proxy connections,” https://threatpost.com/gwmndy-botnet-proxy -connections/146963/, 2019

  53. [53]

    New hiatusrat router malware covertly spies on victims,

    B. B. L. Labs, “New hiatusrat router malware covertly spies on victims,” https://blog.lumen.com/new-hiatusrat-router-malware-c overtly-spies-on-victims/, 2023

  54. [54]

    Apkid: Fast identification of mobile rasp sdks,

    B. USA, “Apkid: Fast identification of mobile rasp sdks,” https: //www.blackhat.com/us-23/arsenal/schedule/#apkid-fast-identific ation-of-mobile-rasp-sdks-32577, 2023

  55. [55]

    VirusTotal, “Vtdoc,” https://docs.virustotal.com/docs/how-it-wor ks, 2025

  56. [56]

    Mate! are you really aware? an explainability-guided testing framework for robustness of mal- ware detectors,

    R. Sun, M. Xue, G. Tyson, T. Dong, S. Li, S. Wang, H. Zhu, S. Camtepe, and S. Nepal, “Mate! are you really aware? an explainability-guided testing framework for robustness of mal- ware detectors,” inProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foun- dations of Software Engineering, 2023, pp. 1573–1585

  57. [57]

    Understanding the proxy ecosystem: A comparative analysis of residential and open proxies on the internet,

    J. Choi, M. Abuhamad, A. Abusnaina, A. Anwar, S. Alshamrani, J. Park, D. Nyang, and D. Mohaisen, “Understanding the proxy ecosystem: A comparative analysis of residential and open proxies on the internet,”IEEE Access, vol. 8, pp. 111 368–111 380, 2020

  58. [58]

    Does every second count? time-based evolution of malware behavior in sandboxes,

    A. K ¨uchler, A. Mantovani, Y . Han, L. Bilge, and D. Balzarotti, “Does every second count? time-based evolution of malware behavior in sandboxes,” inNDSS 2021, Network and Distributed Systems Security Symposium. Internet Society, 2021

  59. [59]

    Comex: Deeply observing application behavior on real android devices,

    Z. Umayya, D. Malik, A. Nandi, A. Kumar, S. Karapoola, and S. Chakravarty, “Comex: Deeply observing application behavior on real android devices,” inProceedings of the 17th Cyber Secu- rity Experimentation and Test Workshop, 2024, pp. 100–109

  60. [60]

    Public tor-consensus,

    Tor, “Public tor-consensus,” https://collector.torproject.org/archi ve/relay-descriptors/consensuses/, 2026

  61. [61]

    Stem Library ,

    D. Johnson, “Stem Library ,” https://stem.torproject.org/, 2025

  62. [62]

    Tor on mobile,

    G. Project, “Tor on mobile,” https://gitlab.com/guardianproject/t ormobile, 2025

  63. [63]

    An empirical study of the i2p anonymity network and its cen- sorship resistance,

    N. P. Hoang, P. Kintis, M. Antonakakis, and M. Polychronakis, “An empirical study of the i2p anonymity network and its cen- sorship resistance,” inProceedings of the internet measurement conference 2018, 2018, pp. 379–392

  64. [64]

    I2p metrics,

    I2P, “I2p metrics,” https://i2p-metrics.np-tokumei.net/overview, 2025

  65. [65]

    Towards more realistic evaluations: The impact of label delays in malware detection pipelines,

    M. Botacin and H. Gomes, “Towards more realistic evaluations: The impact of label delays in malware detection pipelines,” vol

  66. [66]

    Elsevier, 2025, p. 104122

  67. [67]

    Measuring and modeling the label dynamics of online{Anti- Malware}engines,

    S. Zhu, J. Shi, L. Yang, B. Qin, Z. Zhang, L. Song, and G. Wang, “Measuring and modeling the label dynamics of online{Anti- Malware}engines,” inProceedings of the 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 2361–2378

  68. [68]

    Re-measuring the label dynamics of online anti-malware engines from millions of samples,

    J. Wang, L. Wang, F. Dong, and H. Wang, “Re-measuring the label dynamics of online anti-malware engines from millions of samples,” inProceedings of the 2023 ACM on Internet Measure- ment Conference, 2023, pp. 253–267

  69. [69]

    Ip geolocation and intelligence databases and web services,

    MaxMind, “Ip geolocation and intelligence databases and web services,” https://www.maxmind.com/en/solutions/ip-geolocation -databases-api-services, 2025

  70. [70]

    A look at router geolocation in public and commercial databases,

    M. Gharaibeh, A. Shah, B. Huffaker, H. Zhang, R. Ensafi, and C. Papadopoulos, “A look at router geolocation in public and commercial databases,” inProceedings of the 2017 Internet Mea- surement Conference, 2017, pp. 463–469

  71. [71]

    Tor-consensus,

    Tor, “Tor-consensus,” https://collector.torproject.org/archive/relay -descriptors/consensuses/consensuses-2024-12.tar.xz, 2026

  72. [72]

    C2miner: Tricking iot malware into revealing live command & control servers,

    A. Davanian, M. Faloutsos, and M. Lindorfer, “C2miner: Tricking iot malware into revealing live command & control servers,” in Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, 2024, pp. 112–127

  73. [73]

    Extending c2 traffic detection methodologies: From tls 1.2 to tls 1.3-enabled malware,

    D. Barradas, C. Novo, B. Portela, S. Romeiro, and N. Santos, “Extending c2 traffic detection methodologies: From tls 1.2 to tls 1.3-enabled malware,” inProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses, 2024, pp. 181–196

  74. [74]

    Low-quality training data only? a robust framework for detecting encrypted malicious network traffic,

    Y . Qing, Q. Yin, X. Deng, Y . Chen, Z. Liu, K. Sun, K. Xu, J. Zhang, and Q. Li, “Low-quality training data only? a robust framework for detecting encrypted malicious network traffic,” arXiv preprint arXiv:2309.04798, 2023

  75. [75]

    Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation

    V . L. Pochat, T. Van Goethem, S. Tajalizadehkhoob, M. Ko- rczy´nski, and W. Joosen, “Tranco: A research-oriented top sites ranking hardened against manipulation,”arXiv preprint arXiv:1806.01156, 2018

  76. [76]

    Torbot stalker: Detecting tor botnets through intelligent circuit data analysis,

    O. Fajana, G. Owenson, and M. Cocea, “Torbot stalker: Detecting tor botnets through intelligent circuit data analysis,” in2018 IEEE 17th International Symposium on Network Computing and Applications (NCA). IEEE, 2018, pp. 1–8

  77. [77]

    Identifica- tion domain fronting traffic for revealing obfuscated c2 commu- nications,

    Z. Li, M. Wang, X. Wang, J. Shi, K. Zou, and M. Su, “Identifica- tion domain fronting traffic for revealing obfuscated c2 commu- nications,” in2021 IEEE Sixth International Conference on Data Science in Cyberspace (DSC). IEEE, 2021, pp. 91–98

  78. [78]

    Botnet command and control architectures revisited: Tor hidden services and fluxing,

    M. Anagnostopoulos, G. Kambourakis, P. Drakatos, M. Karavo- los, S. Kotsilitis, and D. K. Yau, “Botnet command and control architectures revisited: Tor hidden services and fluxing,” inWeb Information Systems Engineering–WISE 2017: 18th International Conference, Puschino, Russia, October 7-11, 2017, Proceedings, Part II 18. Springer, 2017, pp. 517–527

  79. [79]

    Challenges in protecting tor hidden services from botnet abuse,

    N. Hopper, “Challenges in protecting tor hidden services from botnet abuse,” inFinancial Cryptography and Data Security: 18th International Conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Selected Papers 18. Springer, 2014, pp. 316–325

  80. [80]

    Botnet over tor: The illusion of hiding,

    M. Casenove and A. Miraglia, “Botnet over tor: The illusion of hiding,” in2014 6th International Conference On Cyber Conflict (CyCon 2014). IEEE, 2014, pp. 273–282

Showing first 80 references.