@misc{althaus_wootdroid_2026,
title = {{WOOTdroid}: {Whole}-system {Online} {On}-device {Tracing} for {Android}},
url = {https://arxiv.org/abs/2604.27830},
abstract = {System auditing on Android faces two problems. First, existing syscall tracers lose events under load, silently overwriting entries faster than a user space reader can drain them. Second, security-relevant application behavior is mediated through Binder, Android's kernel IPC mechanism, and is therefore hidden from the syscall layer. The Binder parcels that the kernel does see carry no method names or typed arguments, a disconnect between low-level events and high-level behavior known as the semantic gap. Existing approaches address the semantic gap either by modifying the Android platform, making them difficult to adjust to OS updates, or by instrumenting the traced application in user space, which sophisticated adversaries can evade by bypassing the instrumented framework APIs.
We present WOOTdroid, a design and prototype for on-device tracing on stock Android that addresses both problems without OS modification or application instrumentation. WDSys, an eBPF port of eAudit-style syscall auditing, runs on current Android with at most 3.6\% Geekbench overhead and traces 33\% more syscalls than ftrace. WDBind captures Binder parcels in the kernel and decodes them out-of-process against a framework signature table extracted via Java reflection. We demonstrate WOOTdroid on Pixel 9 devices running Android 16 with an end-to-end case study reconstructing ten security-relevant Binder transactions.},
author = {Althaus, Simon and Alexopoulos, Nikolaos and Mühlhäuser, Max and Reuter, Christian and Zimmer, Ephraim},
year = {2026},
note = {\_eprint: 2604.27830},
}

@misc{alexopoulos_slicedroid_2025,
title = {{SliceDroid}: {Towards} {Reconstructing} {Android} {Application} {I}/{O} {Behaviors} from {Kernel} {Traces}},
url = {https://doi.org/10.5281/zenodo.16745322},
doi = {10.5281/zenodo.16745322},
abstract = {Live threat detection and forensic analysis are becoming
increasingly important in the mobile device ecosystem.
The analysis of kernel traces is the standard approach for
performing such tasks on the desktop and in the cloud. A major
factor limiting the effectiveness of such approaches in Android
is the semantic gap between low-level kernel events and highlevel
behaviors, stemming from Android’s multilayer software
stack. SLICEDROID is an efficient and transparent approach to
reconstruct application behaviors based only on kernel traces.
It builds on two key insights: a) necessary information can
be traced transparently using existing mechanisms to inspect
internal kernel structures, and b) I/O events can be attributed
to the processes that initiated them by appropriately slicing the
collected traces.
We implement a prototype of SLICEDROID and show that it
is capable of reconstructing core application behaviors with good
accuracy and minimal performance overhead. Furthermore, to
showcase the immediate practical relevance of our approach, we
perform case studies on a commercial spyware application, as
well as on popular Google Play Store apps. Contrary to previous
reports, we find that it is possible to reconstruct high-level
application behaviors exclusively from kernel events efficiently
and transparently, that is, without modifications to the kernel
or the Android framework. This is achieved at the cost of
a configurable decrease in precision. We offer an open-source
implementation of SLICEDROID to promote further research and
support improvements in auditing and forensic analysis tools.},
publisher = {Zenodo},
author = {Alexopoulos, Nikolaos and Althaus, Simon and Spinellis, Diomidis},
month = aug,
year = {2025},
note = {Version Number: 0.2},
}