DROIT: Dynamic alternation of dual-level tainting for malware analysis

Chiwei Wang, Shiuh-Pyng Shieh

Research output: Contribution to journalArticlepeer-review

7 Scopus citations


Taint analysis for Android malware has received much attention in recent research. Existing taint techniques operate either at Java object level or at deeper instruction level. Object-level tracking is suitable for malware written in Java byte-code, but not for native ones. Instruction-level tracking captures the finest data flow. However, it leads to obscure semantic reconstruction and low performance. In this paper, we present DROIT, a taint tracker which dynamically alternates between object-level and instruction-level tracking on demands. DROIT tracks data flow at Java object level in general. When its Dalvik VM exits the byte-code execution, DROIT automatically switches to instructionlevel tracking, and vice versa. The trigger-based DROIT can alternate between the two levels in an efficient manner, and can provide dual-level whole image of the data flow, rather than fragments. Tracking at the dual levels also eases the semantic reconstruction significantly. The experiment with Android information-stealing trojans showed that DROIT can handle Java-based malware, those composed in native code, and those alternating between the two levels (e.g., DroidKungFu), respectively.

Original languageEnglish
Pages (from-to)111-129
Number of pages19
JournalJournal of Information Science and Engineering
Issue number1
StatePublished - 1 Jan 2015


  • Android operating system
  • Binary translation
  • Dalvik virtual machine
  • Information flow tracking
  • Malware analysis
  • Mobile security
  • Taint analysis


Dive into the research topics of 'DROIT: Dynamic alternation of dual-level tainting for malware analysis'. Together they form a unique fingerprint.

Cite this