The Invisible Ink of the Android Malware World: A Longitudinal Study on the Usage of Covert Communication Channels
Pith reviewed 2026-06-27 06:20 UTC · model grok-4.3
The pith
Android malware now uses covert channels in half of samples, up from 0.3 percent in 2012.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The authors establish that covert channel usage in Android malware has grown exponentially from 0.30 percent of samples in 2012 to 50 percent in 2025. Their pipeline flagged 288,000 APKs across 511 families and recorded contacts with 19,308 unique IP addresses in 85 countries, with explicit validation for 59 addresses in 17 countries. Longitudinal tracking also showed evolving tactics, including families that adopted multiple channels or switched between them up to 40 times in a six-year span.
What carries the argument
A multistage pipeline that applies static validation rules on system and network features followed by dynamic execution monitoring to detect covert channel usage.
If this is right
- Covert channel adoption has increased exponentially across the 16-year span.
- Hundreds of malware families now rely on these channels to reach command servers.
- Some families combine more than one covert channel in a single sample.
- Other families switch between channels on a periodic schedule.
- Dynamic analysis traced thousands of contacted IP addresses across dozens of countries.
Where Pith is reading between the lines
- Detection tools that ignore indirect routing will miss a rising fraction of current malware.
- The pattern of periodic switching suggests malware authors are already adapting to specific detection signatures.
- The same analysis approach could be applied to iOS or Windows malware to test whether the trend is platform-specific.
Load-bearing premise
The static validation rules accurately identify covert channel usage with low false positives across the full 3.5 million app corpus.
What would settle it
Manual inspection of several hundred randomly selected apps from the 288,000 flagged set that finds most do not actually route traffic through proxies, VPNs, or Tor.
Figures
read the original abstract
Proxies, VPNs and Tor have long helped the privacy community and users in censored regions to fight censorship. However, the same tools can be maliciously exploited by malware and botnets to conceal their communication to external command and control servers. Despite being a critical concern fueled by the proliferation of malware based attacks, no longitudinal studies have analyzed how malware applications use covert channels (CC) to evade detection. We fill this gap by performing the first study of the usage of covert channels in the Android malware ecosystem. To that end, we develop a multistage pipeline that combines static and dynamic analysis to investigate both system and network-level features. We applied this pipeline on a corpus of 3.5M Android malware spanning 2009 to July 2025. Our carefully crafted static validation rules uncovered 288K APKs that used CCs spanning 511 malware families and CC usage growing exponentially from 0.30\% (2012) to 50\% (2025). Overall, in dynamic analysis, we identified 19,308 unique IP addresses being contacted in 85 countries, out of which we were able to explicitly validate the presence of CCs for 59 IP addresses across 17 countries. Further, we performed a longitudinal dataset study spanning over 16 years for CC based malware and found that CC usage has evolved, \textit{e.g.,} some malware adopted by using more than one CCs; others switched between them periodically (one family switched CC usage 40 times from 2019 to 2025).
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper presents the first longitudinal study of covert channel (CC) usage (proxies, VPNs, Tor) by Android malware for C2 evasion. It describes a multistage static+dynamic analysis pipeline applied to a 3.5M-APK corpus (2009–July 2025) that identifies 288K APKs across 511 families using CCs, with reported exponential growth from 0.30% (2012) to 50% (2025). Dynamic analysis flags 19,308 unique IPs (85 countries), with explicit CC validation for only 59 IPs (17 countries); additional observations include multi-CC adoption and periodic switching within families.
Significance. If the pipeline's static rules prove reliable, the work supplies the first large-scale empirical baseline on CC adoption trends in Android malware, which could guide detection research and policy. The 16-year span and family-level granularity are strengths; however, the absence of any reported precision/recall or false-positive statistics on the static rules means the headline counts and growth curve currently rest on an unverified assumption.
major comments (3)
- [Abstract] Abstract: the headline counts (288K APKs, 511 families, 0.30%–50% growth) are produced solely by the 'carefully crafted static validation rules.' No precision, recall, false-positive rate, derivation method, or manual-audit results on any labeled validation set are supplied, rendering the central empirical claims dependent on an untested assumption.
- [Abstract / Dynamic Analysis] Dynamic analysis paragraph: only 59 of the 19,308 contacted IPs receive explicit dynamic validation for CC presence. The manuscript must clarify the classification status of the remaining IPs and quantify how static-rule errors would propagate into the reported temporal trend.
- [Abstract / Methods] Corpus description: the 3.5M-APK dataset construction (sources, sampling strategy, deduplication, potential selection bias) is not described. Without these details it is impossible to assess whether the observed exponential growth could be an artifact of changing corpus composition over time.
minor comments (2)
- [Abstract] The abstract states 'CC usage growing exponentially' but supplies no statistical test or model supporting the functional form; a simple plot or regression would strengthen the claim.
- [Abstract] Clarify the exact definition of 'CC' used by the static rules (e.g., which proxy/VPN/Tor libraries or traffic patterns are matched) to allow reproducibility.
Simulated Author's Rebuttal
We thank the referee for their constructive and detailed review. We address each major comment below and will revise the manuscript to incorporate the requested clarifications and additional information.
read point-by-point responses
-
Referee: [Abstract] Abstract: the headline counts (288K APKs, 511 families, 0.30%–50% growth) are produced solely by the 'carefully crafted static validation rules.' No precision, recall, false-positive rate, derivation method, or manual-audit results on any labeled validation set are supplied, rendering the central empirical claims dependent on an untested assumption.
Authors: We agree that the abstract does not report precision, recall, or false-positive statistics for the static rules, nor does it detail their derivation or any manual audit. The Methods section describes the rules as derived from known CC library patterns and decompiled samples, but we did not include quantitative validation metrics. We will revise the abstract to reference the rule derivation process and add a new subsection in Methods with the full derivation method and results of our manual audit on a sample of flagged APKs. revision: yes
-
Referee: [Abstract / Dynamic Analysis] Dynamic analysis paragraph: only 59 of the 19,308 contacted IPs receive explicit dynamic validation for CC presence. The manuscript must clarify the classification status of the remaining IPs and quantify how static-rule errors would propagate into the reported temporal trend.
Authors: We agree clarification is required. The 19,308 IPs were obtained by executing APKs already flagged by the static rules; only 59 received explicit per-IP CC confirmation via traffic inspection. The remainder are potential CC endpoints identified dynamically but without individual validation. We will update the text to state this distinction explicitly and add a sensitivity discussion quantifying how plausible static-rule error rates would affect the reported growth trend. revision: yes
-
Referee: [Abstract / Methods] Corpus description: the 3.5M-APK dataset construction (sources, sampling strategy, deduplication, potential selection bias) is not described. Without these details it is impossible to assess whether the observed exponential growth could be an artifact of changing corpus composition over time.
Authors: The referee is correct that the abstract (and current Methods) does not describe corpus sources, sampling, deduplication, or bias analysis. We will add a dedicated subsection (3.1) detailing the sources (AndroZoo, VirusShare, Contagio), collection criteria, SHA-256 deduplication, family labeling, and a discussion of temporal sampling and potential selection biases, including why the observed trend is unlikely to be explained solely by corpus changes. revision: yes
Circularity Check
No circularity in empirical measurement study
full rationale
This is a pure empirical measurement paper that applies a multistage static/dynamic analysis pipeline to a fixed corpus of 3.5M APKs and reports direct counts and trends (288K APKs, 511 families, 0.3% to 50% growth). No equations, fitted parameters, predictions, or derivations appear in the provided text. The reported quantities are outputs of the analysis rules applied to the dataset rather than quantities that reduce to those rules by construction. No self-citation load-bearing steps, uniqueness theorems, or ansatzes are invoked. The absence of reported precision/recall on the rules is a validation concern, not a circularity issue under the defined patterns.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption The 3.5M Android malware corpus spanning 2009-2025 is comprehensive and unbiased for the ecosystem.
- domain assumption Static validation rules accurately detect covert channels without substantial false positives.
Reference graph
Works this paper leans on
-
[1]
Tor: The Second-Generation Onion Router
R. Dingledine, N. Mathewson, P. F. Syversonet al., “Tor: The Second-Generation Onion Router.” inProceedings of the 13th USENIX Security Symposium, vol. 4, 2004, pp. 303–320
2004
-
[2]
Ptperf: On the performance evaluation of tor pluggable transports,
Z. Umayya, D. Malik, D. Gosain, and P. Kumar Sharma, “Ptperf: On the performance evaluation of tor pluggable transports,” in Proceedings of the ACM Internet Measurement Conference (IMC), 2023, pp. 501–525
2023
-
[3]
The invisible internet project,
I2P, “The invisible internet project,” https://geti2p.net/en/, 2025
2025
-
[4]
What is vpn? how it works, types of vpn,
Kaspersky, “What is vpn? how it works, types of vpn,” https: //www.kaspersky.com/resource-center/definitions/what-is-a-vpn, 2025
2025
-
[5]
Domain fronting – a new technique for hiding malware command and control (c2) traffic within a content delivery net- work,
Balaji, “Domain fronting – a new technique for hiding malware command and control (c2) traffic within a content delivery net- work,” https://gbhackers.com/domain-fronting-a-new-technique -for-hiding-malware-command-and-control-c2-traffic-within-a-c ontent-delivery-network/, 2018
2018
-
[6]
New mirai botnet hides c2 server in the tor network to prevent takedowns,
B. P. Paganini, “New mirai botnet hides c2 server in the tor network to prevent takedowns,” https://securityaffairs.com/89 237/malware/mirai-botnet-tor-c2.html, 2019
2019
-
[7]
Not with a bang but a whisper: The shift to stealthy c2,
N. Warfield, “Not with a bang but a whisper: The shift to stealthy c2,” https://threatpost.com/tactics-attackers-stealthy-c2/176853/, 2021
2021
-
[8]
Thousands of hackers flock to ’dark utilities’ c2-as- a-service,
B. Toulas, “Thousands of hackers flock to ’dark utilities’ c2-as- a-service,” https://www.bleepingcomputer.com/news/security/tho usands-of-hackers-flock-to-dark-utilities-c2-as-a-service/, 2022
2022
-
[9]
Attackers leveraging dark utilities
C. Talos, “Attackers leveraging dark utilities ”c2aas” platform in malware campaigns,” https://blog.talosintelligence.com/dark-utili ties/, 2022
2022
-
[10]
Android devices caught in matryosh botnet,
B. P. Arntz, “Android devices caught in matryosh botnet,” https: //www.malwarebytes.com/blog/news/2021/02/android-devices-c aught-in-matryosh-botnet, 2021
2021
-
[11]
Socks5systemz proxy service infects 10,000 sys- tems worldwide,
B. B. Toulas, “Socks5systemz proxy service infects 10,000 sys- tems worldwide,” https://www.bleepingcomputer.com/news/secu rity/socks5systemz-proxy-service-infects-10-000-systems-world wide/, 2023
2023
-
[12]
The leethozer botnet,
B. Alex.Turing and H. Wang, “The leethozer botnet,” https://blog .netlab.360.com/the-leethozer-botnet-en/, 2020
2020
-
[13]
Walking through walls: Four common endpoint tools used to facilitate covert c2,
B. E. Smith and the Falcon OverWatch Elite Team, “Walking through walls: Four common endpoint tools used to facilitate covert c2,” https://www.crowdstrike.com/en-us/blog/4-com mon-endpoint-tools-used-to-facilitate-covert-c2/, 2023
2023
-
[14]
Systembc malware’s c2 server analysis ex- poses payload delivery tricks,
B. R. Lakshmanan, “Systembc malware’s c2 server analysis ex- poses payload delivery tricks,” https://thehackernews.com/2024/0 1/systembc-malwares-c2-server-analysis.html, 2024
2024
-
[15]
New threat: Matryosh botnet is spreading,
l. By Alex.Turing, Hui Wang, “New threat: Matryosh botnet is spreading,” https://blog.netlab.360.com/matryosh-botnet-is-sprea ding-en/, 2021
2021
-
[16]
Blackhat,
Blackhat, “Blackhat,” https://blackhat.com/us-23/briefings/sched ule/?, 2023
2023
-
[17]
Defcon, “Defcon,” https://infocondb.org/con/def-con/def-con-31/, 2023
2023
-
[18]
Virustotal api v3 overview,
VirusTotal, “Virustotal api v3 overview,” https://docs.virustotal. com/reference/overview, 2025
2025
-
[19]
Drebin: Effective and explainable detection of android malware in your pocket
D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and C. Siemens, “Drebin: Effective and explainable detection of android malware in your pocket.” inProceedings of the Network and Distributed System Security Symposium (NDSS), vol. 14, 2014, pp. 23–26
2014
-
[20]
Deeprefiner: Multi- layer android malware detection system applying deep neural networks,
K. Xu, Y . Li, R. H. Deng, and K. Chen, “Deeprefiner: Multi- layer android malware detection system applying deep neural networks,” in2018 Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2018, pp. 473–487
2018
-
[21]
Malscan: Fast market-wide mobile malware scanning by social-network centrality analysis,
Y . Wu, X. Li, D. Zou, W. Yang, X. Zhang, and H. Jin, “Malscan: Fast market-wide mobile malware scanning by social-network centrality analysis,” inProceedings of the IEEE/ACM Interna- tional Conference on Automated Software Engineering (ASE). IEEE, 2019, pp. 139–150
2019
-
[22]
Exposing the rat in the tunnel: Using traffic analysis for tor-based malware detection,
P. Dodia, M. AlSabah, O. Alrawi, and T. Wang, “Exposing the rat in the tunnel: Using traffic analysis for tor-based malware detection,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2022, pp. 875–889
2022
-
[23]
Avclass2: Massive malware tag extraction from av labels,
S. Sebasti ´an and J. Caballero, “Avclass2: Massive malware tag extraction from av labels,” inProceedings of the 36th Annual Computer Security Applications Conference (ACSAC), 2020, pp. 42–53
2020
-
[24]
Androzoo: A retrospective with a glimpse into the future,
M. Alecci, P. J. R. Jim ´enez, K. Allix, T. F. Bissyand ´e, and J. Klein, “Androzoo: A retrospective with a glimpse into the future,” inProceedings of the 21st International Conference on Mining Software Repositories (MSR), 2024, pp. 389–393
2024
-
[25]
Lib- Scan: Towards more precise third-party library identification,
Y . Wu, C. Sun, D. Zeng, G. Tan, S. Ma, and P. Wang, “Lib- Scan: Towards more precise third-party library identification,” in Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 3385–3402
2023
-
[26]
Research on third-party libraries in android apps: A taxonomy and systematic literature review,
X. Zhan, T. Liu, L. Fan, L. Li, S. Chen, X. Luo, and Y . Liu, “Research on third-party libraries in android apps: A taxonomy and systematic literature review,”IEEE Transactions on Software Engineering, vol. 48, no. 10, pp. 4181–4213, 2021
2021
-
[27]
An empirical study of potentially malicious third-party libraries in android apps,
Z. Zhang, W. Diao, C. Hu, S. Guo, C. Zuo, and L. Li, “An empirical study of potentially malicious third-party libraries in android apps,” inProceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2020, pp. 144–154
2020
-
[28]
Shining a light on dark places: A comprehensive analysis of open proxy ecosystem,
R. Bian, S. Hao, H. Wang, and C. Cotton, “Shining a light on dark places: A comprehensive analysis of open proxy ecosystem,” Computer Networks, vol. 208, p. 108893, 2022
2022
-
[29]
Free proxies unmasked: A vulnerability and longitudinal analysis of free proxy services,
N. Mehanna, W. Rudametkin, P. Laperdrix, and A. Vastel, “Free proxies unmasked: A vulnerability and longitudinal analysis of free proxy services,”arXiv preprint arXiv:2403.02445, 2024
-
[30]
Resident evil: Understanding residential ip proxy as a dark service,
X. Mi, X. Feng, X. Liao, B. Liu, X. Wang, F. Qian, Z. Li, S. Alrwais, L. Sun, and Y . Liu, “Resident evil: Understanding residential ip proxy as a dark service,” in2019 IEEE Symposium on Security and Privacy (S&P). IEEE, 2019, pp. 1185–1201
2019
-
[31]
Your phone is my proxy: Detecting and understanding mobile proxy networks,
X. Mi, S. Tang, Z. Li, X. Liao, F. Qian, and X. Wang, “Your phone is my proxy: Detecting and understanding mobile proxy networks,” inProceeding of ISOC Network and Distributed Sys- tem Security Symposium (NDSS), 2021
2021
-
[32]
Things you may not know about android (un) packers: a systematic study based on whole-system emulation,
Y . Duan, M. Zhang, A. V . BHASKAR, H. Yin, X. Pan, T. Li, X. Wang, and X. Wang, “Things you may not know about android (un) packers: a systematic study based on whole-system emulation,” inProceedings of the Network and Distributed System Security Symposium (NDSS), 2018
2018
-
[33]
An overview of techniques for obfuscated android malware detection,
S. Siddiqui and T. A. Khan, “An overview of techniques for obfuscated android malware detection,”SN Computer Science, vol. 5, no. 4, p. 328, 2024
2024
-
[34]
Accurate and efficient code matching across android application versions against obfuscation,
R. Feng, Z. Zhang, Y . Zhou, Z. Yan, and Y . Zhang, “Accurate and efficient code matching across android application versions against obfuscation,” inProceedings of the 2024 IEEE Interna- tional Conference on Software Analysis, Evolution and Reengi- neering (SANER). IEEE, 2024, pp. 204–215
2024
-
[35]
Unmasking the veiled: A comprehensive analysis of android evasive malware,
A. Ruggia, D. Nisi, S. Dambra, A. Merlo, D. Balzarotti, and S. Aonzo, “Unmasking the veiled: A comprehensive analysis of android evasive malware,” inProceedings of the 19th ACM Asia Conference on Computer and Communications Security (CCS), 2024, pp. 383–398
2024
-
[36]
Mbc-breakdown,
MBC, “Mbc-breakdown,” https://github.com/MBCProject/mbc-m arkdown/tree/main/anti-behavioral-analysis, 2025
2025
-
[37]
Char- acterizing the vpn ecosystem in the wild,
A. Maghsoudlou, L. Vermeulen, I. Poese, and O. Gasser, “Char- acterizing the vpn ecosystem in the wild,” inInternational Con- ference on Passive and Active Network Measurement (PAM). Springer, 2023, pp. 18–45
2023
-
[38]
ndpi: Open-source high-speed deep packet inspection,
L. Deri, M. Martinelli, T. Bujlow, and A. Cardigliano, “ndpi: Open-source high-speed deep packet inspection,” in2014 Inter- national Wireless Communications and Mobile Computing Con- ference (IWCMC). IEEE, 2014, pp. 617–622
2014
-
[39]
Androzoo,
AndroZoo, “Androzoo,” https://androzoo.uni.lu/, 2016
2016
-
[40]
An explainable convolutional neural network for dynamic android malware de- tection
F. Mercaldo, F. Martinelli, A. Santoneet al., “An explainable convolutional neural network for dynamic android malware de- tection.” inProceedings of the The International Conference on Information Systems Security and Privacy (ICISSP), 2023, pp. 305–312
2023
-
[41]
Invisible ink codebase,
Z. Umayya, “Invisible ink codebase,” https://github.com/zeya2u9 /The-Invisible-Ink, 2026
2026
-
[42]
Directory authorities,
Tor, “Directory authorities,” https://community.torproject.org/rel ay/governance/policies-and-proposals/directory-authority/, 2025
2025
-
[43]
Sok: Making sense of censorship resistance systems,
S. Khattak, T. Elahi, L. Simon, C. M. Swanson, S. J. Murdoch, and I. Goldberg, “Sok: Making sense of censorship resistance systems,”Proceedings on Privacy Enhancing Technologies, vol. 2016, no. 4, pp. 37–61, October 2016
2016
-
[44]
Scott, P
C. Scott, P. Wolfe, and M. Erwin,Virtual private networks. ” O’Reilly Media, Inc.”, 1999
1999
-
[45]
What is openvpn?
OpenVPN, “What is openvpn?” https://openvpn.net/faq/what-i s-openvpn/, 2025
2025
-
[46]
Wireguard: Next generation kernel network tunnel
J. A. Donenfeld, “Wireguard: Next generation kernel network tunnel.” inNetwork and Distributed Systems Security Symposium, 2017, pp. 1–12
2017
-
[47]
Vpn vs. proxy server: What’s the difference, and which should you be using?
B. K. S. Blogs, “Vpn vs. proxy server: What’s the difference, and which should you be using?” https://www.kaspersky.com/resour ce-center/preemptive-safety/vpn-vs-proxy-server, 2025
2025
-
[48]
Garlic routing,
I2P, “Garlic routing,” https://geti2p.net/en/docs/how/garlic-routi ng, 2025
2025
-
[49]
i2p.android.base,
——, “i2p.android.base,” https://github.com/i2p/i2p.android.bas e/tags?after=android-0.9.12-0 b1-API8, 2025
2025
-
[50]
Snowflake,
D. Fifield, “Snowflake,” https://github.com/keroserene/snowflake, 2025
2025
-
[51]
N. F. Arlo Breault, Chang Lan, “Meek,” https://github.com/arlol ra/meek, 2014
2014
-
[52]
Puzzling gwmndy botnet focuses on low-volume proxy connections,
B. T. Seals, “Puzzling gwmndy botnet focuses on low-volume proxy connections,” https://threatpost.com/gwmndy-botnet-proxy -connections/146963/, 2019
2019
-
[53]
New hiatusrat router malware covertly spies on victims,
B. B. L. Labs, “New hiatusrat router malware covertly spies on victims,” https://blog.lumen.com/new-hiatusrat-router-malware-c overtly-spies-on-victims/, 2023
2023
-
[54]
Apkid: Fast identification of mobile rasp sdks,
B. USA, “Apkid: Fast identification of mobile rasp sdks,” https: //www.blackhat.com/us-23/arsenal/schedule/#apkid-fast-identific ation-of-mobile-rasp-sdks-32577, 2023
2023
-
[55]
VirusTotal, “Vtdoc,” https://docs.virustotal.com/docs/how-it-wor ks, 2025
2025
-
[56]
Mate! are you really aware? an explainability-guided testing framework for robustness of mal- ware detectors,
R. Sun, M. Xue, G. Tyson, T. Dong, S. Li, S. Wang, H. Zhu, S. Camtepe, and S. Nepal, “Mate! are you really aware? an explainability-guided testing framework for robustness of mal- ware detectors,” inProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foun- dations of Software Engineering, 2023, pp. 1573–1585
2023
-
[57]
Understanding the proxy ecosystem: A comparative analysis of residential and open proxies on the internet,
J. Choi, M. Abuhamad, A. Abusnaina, A. Anwar, S. Alshamrani, J. Park, D. Nyang, and D. Mohaisen, “Understanding the proxy ecosystem: A comparative analysis of residential and open proxies on the internet,”IEEE Access, vol. 8, pp. 111 368–111 380, 2020
2020
-
[58]
Does every second count? time-based evolution of malware behavior in sandboxes,
A. K ¨uchler, A. Mantovani, Y . Han, L. Bilge, and D. Balzarotti, “Does every second count? time-based evolution of malware behavior in sandboxes,” inNDSS 2021, Network and Distributed Systems Security Symposium. Internet Society, 2021
2021
-
[59]
Comex: Deeply observing application behavior on real android devices,
Z. Umayya, D. Malik, A. Nandi, A. Kumar, S. Karapoola, and S. Chakravarty, “Comex: Deeply observing application behavior on real android devices,” inProceedings of the 17th Cyber Secu- rity Experimentation and Test Workshop, 2024, pp. 100–109
2024
-
[60]
Public tor-consensus,
Tor, “Public tor-consensus,” https://collector.torproject.org/archi ve/relay-descriptors/consensuses/, 2026
2026
-
[61]
Stem Library ,
D. Johnson, “Stem Library ,” https://stem.torproject.org/, 2025
2025
-
[62]
Tor on mobile,
G. Project, “Tor on mobile,” https://gitlab.com/guardianproject/t ormobile, 2025
2025
-
[63]
An empirical study of the i2p anonymity network and its cen- sorship resistance,
N. P. Hoang, P. Kintis, M. Antonakakis, and M. Polychronakis, “An empirical study of the i2p anonymity network and its cen- sorship resistance,” inProceedings of the internet measurement conference 2018, 2018, pp. 379–392
2018
-
[64]
I2p metrics,
I2P, “I2p metrics,” https://i2p-metrics.np-tokumei.net/overview, 2025
2025
-
[65]
Towards more realistic evaluations: The impact of label delays in malware detection pipelines,
M. Botacin and H. Gomes, “Towards more realistic evaluations: The impact of label delays in malware detection pipelines,” vol
-
[66]
Elsevier, 2025, p. 104122
2025
-
[67]
Measuring and modeling the label dynamics of online{Anti- Malware}engines,
S. Zhu, J. Shi, L. Yang, B. Qin, Z. Zhang, L. Song, and G. Wang, “Measuring and modeling the label dynamics of online{Anti- Malware}engines,” inProceedings of the 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 2361–2378
2020
-
[68]
Re-measuring the label dynamics of online anti-malware engines from millions of samples,
J. Wang, L. Wang, F. Dong, and H. Wang, “Re-measuring the label dynamics of online anti-malware engines from millions of samples,” inProceedings of the 2023 ACM on Internet Measure- ment Conference, 2023, pp. 253–267
2023
-
[69]
Ip geolocation and intelligence databases and web services,
MaxMind, “Ip geolocation and intelligence databases and web services,” https://www.maxmind.com/en/solutions/ip-geolocation -databases-api-services, 2025
2025
-
[70]
A look at router geolocation in public and commercial databases,
M. Gharaibeh, A. Shah, B. Huffaker, H. Zhang, R. Ensafi, and C. Papadopoulos, “A look at router geolocation in public and commercial databases,” inProceedings of the 2017 Internet Mea- surement Conference, 2017, pp. 463–469
2017
-
[71]
Tor-consensus,
Tor, “Tor-consensus,” https://collector.torproject.org/archive/relay -descriptors/consensuses/consensuses-2024-12.tar.xz, 2026
2024
-
[72]
C2miner: Tricking iot malware into revealing live command & control servers,
A. Davanian, M. Faloutsos, and M. Lindorfer, “C2miner: Tricking iot malware into revealing live command & control servers,” in Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, 2024, pp. 112–127
2024
-
[73]
Extending c2 traffic detection methodologies: From tls 1.2 to tls 1.3-enabled malware,
D. Barradas, C. Novo, B. Portela, S. Romeiro, and N. Santos, “Extending c2 traffic detection methodologies: From tls 1.2 to tls 1.3-enabled malware,” inProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses, 2024, pp. 181–196
2024
-
[74]
Y . Qing, Q. Yin, X. Deng, Y . Chen, Z. Liu, K. Sun, K. Xu, J. Zhang, and Q. Li, “Low-quality training data only? a robust framework for detecting encrypted malicious network traffic,” arXiv preprint arXiv:2309.04798, 2023
-
[75]
Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation
V . L. Pochat, T. Van Goethem, S. Tajalizadehkhoob, M. Ko- rczy´nski, and W. Joosen, “Tranco: A research-oriented top sites ranking hardened against manipulation,”arXiv preprint arXiv:1806.01156, 2018
work page internal anchor Pith review Pith/arXiv arXiv 2018
-
[76]
Torbot stalker: Detecting tor botnets through intelligent circuit data analysis,
O. Fajana, G. Owenson, and M. Cocea, “Torbot stalker: Detecting tor botnets through intelligent circuit data analysis,” in2018 IEEE 17th International Symposium on Network Computing and Applications (NCA). IEEE, 2018, pp. 1–8
2018
-
[77]
Identifica- tion domain fronting traffic for revealing obfuscated c2 commu- nications,
Z. Li, M. Wang, X. Wang, J. Shi, K. Zou, and M. Su, “Identifica- tion domain fronting traffic for revealing obfuscated c2 commu- nications,” in2021 IEEE Sixth International Conference on Data Science in Cyberspace (DSC). IEEE, 2021, pp. 91–98
2021
-
[78]
Botnet command and control architectures revisited: Tor hidden services and fluxing,
M. Anagnostopoulos, G. Kambourakis, P. Drakatos, M. Karavo- los, S. Kotsilitis, and D. K. Yau, “Botnet command and control architectures revisited: Tor hidden services and fluxing,” inWeb Information Systems Engineering–WISE 2017: 18th International Conference, Puschino, Russia, October 7-11, 2017, Proceedings, Part II 18. Springer, 2017, pp. 517–527
2017
-
[79]
Challenges in protecting tor hidden services from botnet abuse,
N. Hopper, “Challenges in protecting tor hidden services from botnet abuse,” inFinancial Cryptography and Data Security: 18th International Conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Selected Papers 18. Springer, 2014, pp. 316–325
2014
-
[80]
Botnet over tor: The illusion of hiding,
M. Casenove and A. Miraglia, “Botnet over tor: The illusion of hiding,” in2014 6th International Conference On Cyber Conflict (CyCon 2014). IEEE, 2014, pp. 273–282
2014
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.