This folder collects the code and artifacts used for the GhostTap experiments and the supporting PoC apps used in our user-awareness and mobile-agent-awareness evaluations.
-
Discovery_methodology
analysis.pycorresponds to the detection tool described in Section 3.2.- AIDL Library Construction: Scans AOSP AIDL files to extract interface methods and categorize them into
entry_set(non-ONEWAY) andoneway_set(ONEWAY). - Java Call Graph: Builds a
Class.method -> calleesmapping with method metadata to support lightweight static analysis. - Backward Sink Mining: Traces backward from ONEWAY sinks to upstream callers using a fair sampling strategy per sink.
- Forward Entry Mining: Performs BFS from non-ONEWAY entries to ONEWAY sinks, supporting alias expansion, step budgets, and deduplication.
- JNI Bridging: Maps Java
nativedeclarations to C/C++ implementations via naming conventions,RegisterNatives, andandroid_*patterns. - Native Call Graph: Analyzes C/C++ function calls to identify sites directly hitting ONEWAY interfaces.
- Cross-Language Chain Synthesis: Merges Java and Native call graphs via JNI to perform cross-language BFS for end-to-end chain discovery.
- Result Fusion: Deduplicates and merges raw chains into a unified JSON output, with support for additional query result injection.
- AIDL Library Construction: Scans AOSP AIDL files to extract interface methods and categorize them into
-
Detect_in_the_wild
Detecting Malicious Apps in the Wildcode and detection outputs.- Key files:
archive.zip— contains detection results and exported artifacts. Unzip this to inspect the detection outputs.detect_all_ghosts.py,detect_ghost_aris_slicing.py,detect_ghost_ipc_slicing.py,detect_ghost_trust_slicing.py,detect_ghost_window_slicing.py— detection scripts used in the experiment.
-
Detect_injected_app
40appsTen open-source apps from GitHub were selected, and for each app, four types of Ghost vulnerabilities were injected, resulting in a total of 40 APK files.unified_ghost_reportsThe analysis results of the 40 apps obtained using the analysis script (inDetect_in_the_wild).
-
AttackImplementCode
- This folder mainly contains the source code for all four GhostTap attack scenarios (GhostIPC, Ghost-Window, GhostARIS, and GhostTrust), including proof-of-concept malicious applications and related vulnerability trigger mechanisms.
- GhostIPC
- This directory contains the main attack code for GhostIPC.
- GhostWindow
- This directory contains the main attack code for GhostWindow.
- GhostARIS
- This directory contains the main attack code for GhostARIS.
- GhostTrust
- This directory contains the main attack code for GhostTrust.
- POC_apps
- This directory contains the source code for three PoC apps and related PDF documentation for vulnerability triggers.
-
UserStudy
- This directory contains the Initial Questionnaire used for recruiting experiment participants, the Final Questionnaire after the experiment, and the corresponding results.
-
MobileAgentResults
- This directory contains experimental records of using Mobile Agent to test the PoC apps.
User Study experiment configuration:
- PoC apps run on a Pixel7 Android 14 emulator.
- All three PoC apps can run on this device and reproduce the vulnerabilities.
Mobile agent experiment environment:
For open-source framework:
- PoC apps run on a Pixel7 Android 14 emulator.
- Mobile agent uses Mobile agent v3 with GUI-Owl-7B and Autodroid with GPT-3.5-turbo.
- All three PoC apps can run on this device and reproduce the vulnerabilities.
For OEM-integrated agents:
- PoC apps run on Honor Magic7 Pro (Android16) and Doubao Nubia M153 (Android16).
- Due to the system version being Android16, the GhostIPC vulnerability does not apply to these two devices.
- These projects contain proof-of-concept code for security research. They are intended for academic and defensive testing only. Do not use these artifacts to perform unauthorized access or attacks on systems you do not own or have permission to test.
- When running detection or PoC code on devices/emulators, follow safe lab practices: use isolated devices/emulators, back up important data, and avoid connecting research devices to production networks.