OCTOPUS: Observing Communication Traffic Of Pre-installed Userspace Software

Modern mobile devices are dense with pre-installed apps that are deeply integrated in the operating system. Unlike third-party apps, these system-level apps often operate with elevated privileges that allow them to bypass the standard Android permission model. This project investigates the hypothesis that pre-installed apps serve as a primary vehicle for personally identifyable information (PII) exfiltration, leveraging their persistence on the device to harvest and transmit sensitive user data to third-party domains without explicit consent.

Building upon a successful collaboration between the Cyber-Defense Campus and ZHAW, this project leverages a mature framework designed for re-hosting the Android Application Layer in virtual environments. While the initial framework established the baseline for virtualization, this study extends its capabilities to support the high-fidelity dynamic analysis required to capture the sophisticated behaviors of pre-installed apps.

To capture the subtle and often elusive data-sharing behavior of pre-installed apps, this project will utilize a multi-layered testing strategy. We move beyond simple observation by employing stimulation techniques designed to force apps to reveal their background data collection logic. A novel approach to measure and maximize code coverage and to trigger network traffic will be developed, specifically tailored for pre-installed apps.

This project aims to identify the specific types of sensitive data being transmitted by pre-installed apps. We investigate how PII leakage behavior shifts based on the device's environment. For instance, tests can include if apps remain "dormant" in privacy-strict regions (like the EU under GDPR) but become aggressive in data collection when the Language, Country, or IP-based Location is set to regions with fewer protections. This could reveal whether manufacturers implement "Privacy by Geography".

Beyond mere detection, this project seeks to map the complex ecosystem of third-party stakeholders – ranging from advertising networks to government-linked entities – that benefit from these pre-installed data pipelines. By analyzing the communication channels used by pre-installed apps, we will establish a taxonomy of 'information leakage' that categorizes endpoints into distinct classes, such as advertising, tracking, and telemetry abuse. Ultimately, the findings will contribute to a broader framework for mobile transparency, providing consumers, researchers, and regulatory bodies with the empirical evidence needed to demand more rigorous auditing of firmware-level software and to challenge the current lack of accountability in the mobile supply chain.