Abstract

The exponential growth of mobile applications has dramatically reshaped the global software ecosystem, with Android and iOS app stores acting as the primary gateways for billions of users worldwide. These platforms rely on extensive vetting mechanisms, such as Google’s Bouncer and Apple’s App Review Process, to detect and block malicious content before publication. However, a critical and increasingly exploited weakness has emerged the abuse of dynamic code updates and in-app updating mechanisms to deliver malicious payloads after an app’s approval. In this approach, attackers publish benign applications that pass all automated and manual inspections, but later inject harmful code through dynamic class loading (DCL), reflection, or hidden update APIs. Once activated, these components can steal sensitive data, escalate privileges, or enable remote control, all while appearing legitimate to users. Empirical research, including StaDynA2, StaDART1, and large-scale studies like Poeplau et al.4 and DyDroid5, has revealed the alarming prevalence of such mechanisms. Findings indicate that more than 80% of analyzed malware samples use reflection, while nearly 20% employ dynamic class loading to bypass static detection. These techniques exploit the limitations of traditional app store security, which ssumes code immutability after publication. Furthermore, manufacturer-level Android customizations exacerbate the risk: preinstalled, over privileged vendor apps and delayed security patch rollouts.

• 1.   M. Ahmad, V. Costamagna, B. Crispo, F. Bergadano, Y. Zhauniarovich, “StaDART: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications,” Journal of Systems and Software, vol. 159, 2020.
• 2.   Y. Zhauniarovich, M. Ahmad, O. Gadyatskaya, B. Crispo, F. Massacci, “StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications,” Proc. ACM CODASPY, 2015.
• 3.   L. Wu, M. Grace, Y. Zhou, C. Wu, X. Jiang, “The Impact of Vendor Customizations on Android Security,” Proc. ACM CCS, 2013.
• 4.   S. Poeplau, S. Fratantonio, A. Bianchi, “Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications,” Proc. NDSS, 2014.
• 5.   Z. Qu et al., “DyDroid: Measuring Dynamic Code Loading and Its Security Implications in Android Applications,” ACM Digital Library, 2018.
• 6.   L. Falsina et al., “Grab’n Run: Secure and Practical Dynamic Code Loading for Android,” Proc. ACSAC, 2015.
• 7.   R. Chatterjee et al., “DroidRA, Ripple, and EspyDroid+: Reflection Analysis and Mitigation in Android,” IEEE Trans. Software Eng., 2021.
• 8.   A. Aysan et al., “Analysis of Dynamic Code Updating in Android from a Security Perspective,” IET Information Security, 2019.
• 9.   W. Elsersy et al., “The Rise of Obfuscated Android Malware and Impacts on Detection,” PeerJ Comput. Sci., 2022.
• 10.   Google Android Developers, “Dynamic Delivery and In-App Updates,” 2024.