WOOTdroid: Whole-system Online On-device Tracing for Android

TL;DR

WOOTdroid is an on-device Android tracing system that overcomes existing limitations by capturing syscall and Binder-level events without OS modification or application instrumentation, enabling detailed security analysis.

Contribution

It introduces WOOTdroid, a novel on-device tracing framework that captures syscall and Binder events efficiently on stock Android without modifications or instrumentation.

Findings

WDSys traces 33% more syscalls than ftrace with minimal overhead.

WDBind decodes Binder parcels out-of-process, bridging the semantic gap.

WOOTdroid successfully reconstructs security-relevant Binder transactions.

Abstract

System auditing on Android faces two problems. First, existing syscall tracers lose events under load, silently overwriting entries faster than a user space reader can drain them. Second, security-relevant application behavior is mediated through Binder, Android's kernel IPC mechanism, and is therefore hidden from the syscall layer. The Binder parcels that the kernel does see carry no method names or typed arguments, a disconnect between low-level events and high-level behavior known as the semantic gap. Existing approaches address the semantic gap either by modifying the Android platform, making them difficult to adjust to OS updates, or by instrumenting the traced application in user space, which sophisticated adversaries can evade by bypassing the instrumented framework APIs. We present WOOTdroid, a design and prototype for on-device tracing on stock Android that addresses both problems without OS modification or application instrumentation. WDSys, an eBPF port of eAudit-style syscall auditing, runs on current Android with at most 3.6% Geekbench overhead and traces 33% more syscalls than ftrace. WDBind captures Binder parcels in the kernel and decodes them out-of-process against a framework signature table extracted via Java reflection. We demonstrate WOOTdroid on Pixel 9 devices running Android 16 with an end-to-end case study reconstructing ten security-relevant Binder transactions.