Argus: Detecting Access Control Vulnerabilities in Android Framework using Large Language Models

Abstract

Access control (AC) inconsistencies in Android’s framework APIs are a persistent security challenge, especially in customized ROMs. While convergence-based and probabilistic tools have made progress in detecting these inconsistencies, they suffer from either high false positive rates or limited coverage due to reliance on domain-knowledge and manually defined inference rule. Large Language Model (LLMs) offer promise but tend to overprotect APIs when operating without sufficient Android specific context. In this work, we present Argus, a novel hybrid LLM-driven pipeline that combines static code analysis, code embeddings, and context-aware prompting to improve AC recommendations for Android APIs. Argus begins by extracting path-sensitive summarized program paths from decompiled ROMs and uses rule-based prompting to guide LLMs in identifying focal functionality (i.e., security-relevant sinks). These sinks, along with their known AC, are embedded and stored in a code embedding. Given a target API, Argus ’s retrieval system queries this database to identify similar functionalities with known AC levels. These aligned examples are then incorporated into a second, detailed prompt that instructs the LLM to consider relevance, sensitivity rankings, and Android-specific context; enabling precise, context-aware AC recommendations. We evaluate Argus on five custom ROMs and demonstrate its effectiveness in uncovering previously undocumented AC vulnerabilities. Among these are unauthorized camera parameter modification and spoofing of system crash reports (Vivo Y33s), exposure of SIM lock state (Vivo Y33s), unprotected refresh rate customization and retrieval of all package names (OnePlus 12), and unrestricted access to Wi-Fi hotspot management APIs, such as setting client blocklists (Infinix Smart 8). Several findings have been acknowledged by vendors, highlighting Argus ’s practical impact.