ARTEMIS: A Modular Platform for Execution, Monitoring, and Investigation of Suspicious Android Applications
Abstract
The fragmentation of Android versions and the limitations of current tools for effectively monitoring APK execution make malware analysis difficult. This paper presents ARTEMIS, a microservices-based platform capable of orchestrating parallel analysis across heterogeneous instances, tested with 100 emulators (Android 10–14) and physical devices. In a case study with 12,466 malicious APKs, ARTEMIS achieved a 98.7% installation rate (adaptive architecture) and 80.2% recovery of failed APKs through debug detection (modular pipeline). ARTEMIS provides large-scale analysis, execution history, and antievasion strategies, essential for combating modern mobile threats.
Keywords:
mobile security, dynamic analysis, Android malware, microservices, multi-version instrumentation
References
Android Authority (2023). Android 14 release schedule.
ANY.RUN (2025). Interactive android sandbox for malware analysis. [link].
Bläsing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S. A., and Albayrak, S. (2010). An android application sandbox system for suspicious software detection. In Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on, pages 55–62. IEEE.
Developers, G. A. (2024). Android platform versions dashboard. [link].
Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. (2010). Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 393–407.
Fratantonio, Y., van der Veen, V., and Platzer, C. (2014). Andrubis: Android malware under the magnifying glass. Number TR-ISECLAB-0414-001.
GlobalStats, S. (2024). Mobile operating system market share worldwide. [link].
Google (2025). Meet google play’s target api level requirement. Accessed: May 2025.
Hatching (2024). Triage: Advanced android sandbox for malware analysis. [link].
Intelligence, I. S. (2023). Reducing resource overhead in malware sandboxing. [link].
Lab, K. (2024). Mobile malware evolution 2024. Technical report, Kaspersky Lab.
Lantz, P. (2012). Droidbox: Android application sandbox. [link].
LLC, J. S. (2024). Joe sandbox mobile - android dynamic analysis. [link].
Mutti, S., Fratantonio, Y., Bianchi, A., Invernizzi, L., Corbetta, J., Kirat, D., Kruegel, C., and Vigna, G. (2015). Baredroid: Large-scale analysis of android apps on real devices. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC), pages 71–80.
Neuner, S., van der Veen, V., Lindorfer, M., Huber, M., Merzdovnik, G., Mulazzani, M., and Weippl, E. (2014). Enter sandbox: Android sandbox comparison. In Proceedings of the 3rd IEEE Mobile Security Technologies Workshop (MoST).
Research, C. P. (2024a). Mobile security report 2024. Technical report, Check Point.
Research, E. (2024b). Droiddungeon: Bypassing android malware evasion techniques. [link].
Research, T. M. (2021). Evasive malware techniques targeting android. Technical report, Trend Micro.
ResearchGate (2023). Droidhook: A flexible android dynamic analysis framework. [link].
Revivo, I., Caspi, O., and Shalyt, M. (2015). Cuckoodroid – fighting the tide of android malware. Check Point Blog.
Stack Overflow users (2024). What is the minsdkversion for targetsdkversion 34? Statista (2024). Distribution of android versions worldwide.
Tam, K., Khan, S. J., Fattori, A., and Cavallaro, L. (2015). Copperdroid: Automatic reconstruction of android malware behaviors. In Proceedings of the Network and Distributed System Security Symposium (NDSS). Internet Society.
(VirusTotal), G. T. I. (2023). Virustotal zenbox: Dynamic malware analysis. [link].
Wikipedia contributors (2025). Android 10 — android version history.
Yan, L.-K. and Yin, H. (2012). Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In USENIX Security Symposium, pages 569–584. USENIX Association.
Zhou, P. (2020). Limitations and extensions of cuckoo sandbox for android analysis. [link].
Zorz, M. (2016). Mobsf: Security analysis of android and ios apps. Help Net Security.
ANY.RUN (2025). Interactive android sandbox for malware analysis. [link].
Bläsing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S. A., and Albayrak, S. (2010). An android application sandbox system for suspicious software detection. In Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on, pages 55–62. IEEE.
Developers, G. A. (2024). Android platform versions dashboard. [link].
Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. (2010). Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 393–407.
Fratantonio, Y., van der Veen, V., and Platzer, C. (2014). Andrubis: Android malware under the magnifying glass. Number TR-ISECLAB-0414-001.
GlobalStats, S. (2024). Mobile operating system market share worldwide. [link].
Google (2025). Meet google play’s target api level requirement. Accessed: May 2025.
Hatching (2024). Triage: Advanced android sandbox for malware analysis. [link].
Intelligence, I. S. (2023). Reducing resource overhead in malware sandboxing. [link].
Lab, K. (2024). Mobile malware evolution 2024. Technical report, Kaspersky Lab.
Lantz, P. (2012). Droidbox: Android application sandbox. [link].
LLC, J. S. (2024). Joe sandbox mobile - android dynamic analysis. [link].
Mutti, S., Fratantonio, Y., Bianchi, A., Invernizzi, L., Corbetta, J., Kirat, D., Kruegel, C., and Vigna, G. (2015). Baredroid: Large-scale analysis of android apps on real devices. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC), pages 71–80.
Neuner, S., van der Veen, V., Lindorfer, M., Huber, M., Merzdovnik, G., Mulazzani, M., and Weippl, E. (2014). Enter sandbox: Android sandbox comparison. In Proceedings of the 3rd IEEE Mobile Security Technologies Workshop (MoST).
Research, C. P. (2024a). Mobile security report 2024. Technical report, Check Point.
Research, E. (2024b). Droiddungeon: Bypassing android malware evasion techniques. [link].
Research, T. M. (2021). Evasive malware techniques targeting android. Technical report, Trend Micro.
ResearchGate (2023). Droidhook: A flexible android dynamic analysis framework. [link].
Revivo, I., Caspi, O., and Shalyt, M. (2015). Cuckoodroid – fighting the tide of android malware. Check Point Blog.
Stack Overflow users (2024). What is the minsdkversion for targetsdkversion 34? Statista (2024). Distribution of android versions worldwide.
Tam, K., Khan, S. J., Fattori, A., and Cavallaro, L. (2015). Copperdroid: Automatic reconstruction of android malware behaviors. In Proceedings of the Network and Distributed System Security Symposium (NDSS). Internet Society.
(VirusTotal), G. T. I. (2023). Virustotal zenbox: Dynamic malware analysis. [link].
Wikipedia contributors (2025). Android 10 — android version history.
Yan, L.-K. and Yin, H. (2012). Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In USENIX Security Symposium, pages 569–584. USENIX Association.
Zhou, P. (2020). Limitations and extensions of cuckoo sandbox for android analysis. [link].
Zorz, M. (2016). Mobsf: Security analysis of android and ios apps. Help Net Security.
Published
2025-09-01
How to Cite
TORRES JÚNIOR, Cláudio; FERNANDES FILHO, Dario; PINCOVSCY, João; GRÉGIO, André.
ARTEMIS: A Modular Platform for Execution, Monitoring, and Investigation of Suspicious Android Applications. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 147-162.
DOI: https://doi.org/10.5753/sbseg.2025.11393.
