Greyware Analysis and Mitigation Approach
An analyst-first methodology and toolset for Android greyware investigation
GAMA is a methodology and toolset for identifying greyware behaviour in Android applications — the grey area between legitimate software and malware that standard automated scanners miss.
Standard scanners look for signatures. GAMA looks for behaviour patterns: how an app routes data, which channels it uses to avoid network monitoring, how SDKs communicate with each other before any outbound request is made.
Technology collects. The analyst interprets.
No tool in the GAMA ecosystem classifies automatically. Every finding requires analyst confirmation. This is not a limitation — it is what makes GAMA findings defensible.
Modern Android apps routinely use advertising and analytics SDKs that collect far more data than declared in their privacy policies. The collection happens through channels invisible to standard monitoring tools:
- Custom URI schemes (
mv://,global://,applovin://) — data passed through WebView'sshouldOverrideUrlLoadingbefore any network call - Encoded strings — endpoints and URIs hidden in Base64/hex inside the bytecode
- Background persistence — WorkManager and JobScheduler tasks that survive app force-stop
- Domain fronting — traffic routed through CDNs where the SNI does not match the actual destination
These are not malware techniques. They are greyware — deliberate design choices that maximise data collection while evading privacy controls.
APK
│
├─► GAMA-Intel ──────────────────── Automated static analysis
│ │ URI scanner 31 findings on Airport Empire Idle
│ │ SDK fingerprint 11 SDKs identified
│ │ Manifest analysis STIX 2.1 report
│ │ Encoded string decoder
│ └─► workspace/
│ ├── findings.jsonl
│ ├── uri_scan.json
│ ├── sdk_map.json
│ └── report.stix.json
│
├─► GAMA-Deep ───────────────────── ML anomaly scoring (Rust)
│ │ Static features (128-dim) Anomaly score 0–100
│ │ Smali embeddings (256-dim) Channel contributions
│ │ Network sequences (256-dim) Train on your own dataset
│ └─► workspace/deep/gama_deep.json
│
└─► GAMA Framework ──────────────── Analyst workspace (CLI)
│ Phase 0: Hypothesis 7-phase methodology
│ Phase 1: Static review Finding classification
│ Phase 3: Frida dynamic Enforcement rules
│ Phase 5: Classification Class A/B/C/D
│ Phase 6: Enforcement rules
└─► workspace/findings.jsonl
| Tool | Type | Role |
|---|---|---|
| GAMA Framework | Interactive CLI (Python) | Analyst workspace — 7-phase structured methodology |
| GAMA-Intel | Pipeline (Python) | Automated static analysis, STIX 2.1 reporting |
| GAMA-Deep | ML engine (Rust) | Three-channel anomaly scoring |
| GAMA-Community (coming soon) | Knowledge base | Shared confirmed findings, PR-based governance |
# Java (required by apktool and jadx)
sudo apt install -y default-jre
# apktool
sudo wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool \
-O /usr/local/bin/apktool
sudo wget https://github.com/iBotPeaches/Apktool/releases/download/v2.10.0/apktool_2.10.0.jar \
-O /usr/local/bin/apktool.jar
sudo sed -i 's|exec java -jar|exec java -Xmx2g -jar|' /usr/local/bin/apktool
sudo chmod +x /usr/local/bin/apktool
# jadx
JADX_VER=$(curl -s https://api.github.com/repos/skylot/jadx/releases/latest \
| python3 -c "import sys,json; print(json.load(sys.stdin)['tag_name'].lstrip('v'))")
wget https://github.com/skylot/jadx/releases/download/v${JADX_VER}/jadx-${JADX_VER}.zip -O /tmp/jadx.zip
sudo mkdir -p /opt/jadx && sudo unzip -q /tmp/jadx.zip -d /opt/jadx
sudo ln -sf /opt/jadx/bin/jadx /usr/local/bin/jadxgit clone https://github.com/psychomad/gama-framework
git clone https://github.com/psychomad/gama-intel
git clone https://github.com/psychomad/gama-deepcd gama-deep
cargo build --release
sudo cp target/release/gama-deep /usr/local/bin/cd gama-intel
pip install -r requirements.txtcd gama-intel
python3 -m gama_intel.cli analyse app.apk --skip-dynamic --skip-networkpython3 -m gama_intel.cli analyse app.apk \
--import-apktool path/to/apktool_out/ \
--skip-dynamic --skip-network# Analyse workspace with GAMA-Deep
gama-deep analyse gama-intel/workspace/20260315_170023_com-app/
# Label and train
echo '{"class": "C"}' > workspace/20260315_.../deep/label.json
gama-deep train gama-intel/workspace/ --epochs 50cd gama-framework
python3 main.py
# → Create workspace
# → Phase 0: document hypothesis
# → Phase 1: run static analysis
# → Phase 5: classify findings A/B/C/D
# → Phase 6: generate enforcement rules# Hook URI scheme IPC channels at runtime
cat > /tmp/gama_t001.js << 'EOF'
Java.perform(function() {
var WebViewClient = Java.use("android.webkit.WebViewClient");
WebViewClient.shouldOverrideUrlLoading.overload(
"android.webkit.WebView", "java.lang.String"
).implementation = function(view, url) {
var scheme = url.split("://")[0];
if (!["https","http","file","content","data"].includes(scheme)) {
console.log(JSON.stringify({
ts: new Date().toISOString(),
technique: "GAMA-T001",
scheme: scheme,
url: url.substring(0, 200)
}));
}
return this.shouldOverrideUrlLoading(view, url);
};
});
EOF
frida -U -n com.example.app -l /tmp/gama_t001.js| Class | Definition | Example |
|---|---|---|
| A | Operational — proportionate to declared purpose | Analytics SDK collecting session data, disclosed in privacy policy |
| B | Disproportionate — collects more than declared | Ad SDK collecting device fingerprint not mentioned in privacy policy |
| C | Concealed — uses evasion (URI bypass, encoding, JNI) | mv:// routing data through WebView IPC invisible to VPN monitoring |
| D | Deceptive — directly contradicts privacy policy | Tracking active after user purchases "ad-free" tier |
| ID | Name | ATT&CK Mobile | Detection |
|---|---|---|---|
| GAMA-T001 | Custom URI scheme IPC bypass | T1637.002 (proposed) | URI scanner + Frida WebView hook |
| GAMA-T002 | Post-install silent payload | T1407 | Size delta + dynamic download hook |
| GAMA-T003 | Background task persistence | T1624.003 (proposed) | WorkManager hook + post-termination DNS |
| GAMA-T004 | Domain fronting via CDN | T1665 | SNI vs dest IP correlation in Zeek |
| GAMA-T005 | JNI policy bypass | proposed | Native lib entropy + JNI symbol analysis |
| GAMA-T006 | Premium tier visual illusion | proposed | Runtime capture after paid tier activation |
| GAMA-T007 | Encoded string obfuscation | T1406 | Base64/hex decoder on smali strings |
App: com.SekGames.AirportEmpireIdle v0.7.0 — 140MB idle game
GAMA-Intel results:
Findings: 31
By technique: GAMA-T001: 30, GAMA-T007: 1
SDKs: 11 identified (Mintegral, AppLovin, Unity, Adjust, Firebase...)
Encoded hits: 21 Base64/hex strings decoded
Top findings:
| URI Scheme | Score | Evidence | Classification |
|---|---|---|---|
mv:// |
12 | 4 occurrences, smali_classes9, WebView handler co-located | Class-C |
mraid:// |
12 | 18 occurrences in 7 files, tracking context: event | Class-B |
applovin:// |
12 | 6 occurrences, tracking context: event, ad | Class-B |
tcp:// |
11 | 1 occurrence in WebView context — anomalous | Class-C candidate |
global:// |
8 | 99 occurrences in 2 files — high-frequency bus | Pending dynamic |
GAMA-Deep score after training:
{
"anomaly_score": 51.0,
"static_contribution": 0.23,
"smali_contribution": 0.77,
"network_contribution": 0.0,
"gama_technique": "GAMA-T005"
}The mv:// finding became CENT-2026-001 — the first entry in the GAMA Community knowledge base.
GAMA-Deep supports community extension modules. Drop a Python file in ~/.gama/modules/:
class MyModule:
name = "my-module"
version = "1.0.0"
input_spec = ["static/uri_scan.json"]
def analyse(self, workspace_path: Path) -> list:
# Return list of finding dicts
return []GAMA-Intel loads all modules automatically at analysis time. No configuration required.
Ideas for community modules:
- Exodus Privacy tracker database lookup
- VirusTotal APK hash lookup
- GDPR consent string validator
- Privacy policy NLP analyser
- CVE/NVD dependency checker
- GAMA Framework v1.0 — 7-phase methodology CLI
- GAMA-Intel v1.0 — automated static analysis pipeline
- GAMA-Deep v0.1 — ML anomaly scoring (Rust, CPU-only)
- CENT-2026-001 — first confirmed community finding
- GAMA-Community v0.1 — public knowledge base on GitHub
- GAMA-Deep v0.2 — full backpropagation training
- Frida script library for all GAMA techniques
- Network analysis integration (Zeek + post-termination detection)
CenturiaLabs / ClickSafe UAE audit.centurialabs.pl github.com/psychomad
MIT — see LICENSE