System auditing on Android faces two problems. First, existing syscall tracers lose events under load, silently overwriting entries faster than a user space reader can drain them. Second, security-relevant application behavior is mediated through Binder, Android's kernel IPC mechanism, and is therefore hidden from the syscall layer. The Binder parcels that the kernel does see carry no method names or typed arguments, a disconnect between low-level events and high-level behavior known as the semantic gap. Existing approaches address the semantic gap either by modifying the Android platform, making them difficult to adjust to OS updates, or by instrumenting the traced application in user space, which sophisticated adversaries can evade by bypassing the instrumented framework APIs. We present WOOTdroid, a design and prototype for on-device tracing on stock Android that addresses both problems without OS modification or application instrumentation. WDSys, an eBPF port of eAudit-style syscall auditing, runs on current Android with at most 3.6% Geekbench overhead and traces 33% more syscalls than ftrace. WDBind captures Binder parcels in the kernel and decodes them out-of-process against a framework signature table extracted via Java reflection. We demonstrate WOOTdroid on Pixel 9 devices running Android 16 with an end-to-end case study reconstructing ten security-relevant Binder transactions.

翻译：Android系统审计面临两个问题。首先，现有系统调用追踪器在高负载下会丢失事件，当用户空间读取器无法及时排空缓冲条目时，静默覆盖已记录事件。其次，与安全相关的应用行为通过Android内核IPC机制Binder进行中介传递，因此对系统调用层不可见。内核可见的Binder数据包不携带方法名或类型化参数，这种低级事件与高级行为之间的脱节现象被称为语义鸿沟。现有方法通过修改Android平台（导致难以适配系统更新）或在用户空间对目标应用进行插桩（高级攻击者可通过绕过插桩的框架API规避检测）来解决语义鸿沟。我们提出WOOTdroid——一种无需修改操作系统或应用插桩的安卓原生设备端追踪设计与原型。其组件WDSys是基于eBPF移植的eAudit风格系统调用审计方案，可在当前Android系统上运行，Geekbench性能开销最高仅3.6%，且追踪系统调用数量比ftrace多33%。WDBind组件在内核层捕获Binder数据包，并利用通过Java反射提取的框架签名表，在进程外对其进行解码。我们在运行Android 16的Pixel 9设备上，通过重构十组安全相关Binder事务的端到端案例研究，验证了WOOTdroid的有效性。