Reconstructing Android Application I/O Behaviors from Kernel Traces

Presenter: Nikos Alexopoulos
Date: 30 April 2025

Abstract

Android users face increasingly sophisticated threats, ranging from malware and state-sponsored surveillance, to supply chain attacks and a large attack surface, mostly consisting of proprietary components. Android’s semantic gap, i.e. the disconnect between application behaviors and kernel-level events (system calls), is a major limiting factor towards developing approaches capable of detecting threats in the wild. This talk will present recent research on overcoming this limitation, introducing SysDroid, a simple and lightweight approach to reconstruct Android behaviors from Linux kernel traces.

SysDroid builds on two key insights: (a) I/O events can be captured in the kernel and attributed to applications by following IPC edges, and (b) a mapping between I/O events and interesting high-level behaviors can be established a priori by associating I/O events to high-level Android Framework API calls. The approach is effective in capturing application behaviors and can be used as the basis for further analysis.