DroidSentry: A Survey of Android Malware Dynamic Analysis Techniques

Abstract

The rapid evolution of Android malware has severely undermined the efficacy of conventional analysis methodologies. Static analysis is frequently circumvented by advanced code obfuscation, native JNI exploitation, and dynamic payload loading architectures. Concurrently, dynamic analysis conducted within virtualized sandboxes is increasingly neutralized by sophisticated virtual machine (VM) evasion techniques that detect artificial execution environments. This survey provides a comprehensive taxonomy of Android malware analysis approaches, critically evaluating their capabilities and limitations. We systematically identify three persistent gaps in the current literature: (1) the consistent failure of virtualized execution environments against evasion-aware malware; (2) the absence of active adversarial API response tampering as a recognized analysis vector; and (3) the inaccessibility of complex forensic output to non-specialist analysts.
Building upon this gap analysis, we present the design rationale and architecture of DroidSentry, a Hardware-in-the-Loop (HIL) adversarial dynamic analysis framework. DroidSentry addresses these gaps through authentic physical-device-based execution, active mitmproxy-driven response manipulation via Gnirehtet reverse tethering, and experimental AI-assisted forensic narration via a locally hosted Llama 3 Large Language Model. By deploying on a Linux-based orchestration host coupled with a physical Android node, the framework significantly reduces environmental fingerprinting. Comparative analysis against representative existing tools demonstrates DroidSentry's effectiveness at the intersection of physical execution authenticity, adversarial testing depth, and forensic explainability.