Dynamic analysis of Android malware is severely hindered by anti-runtime analysis (ARA) techniques, yet the resilience of existing tools against diverse ARA methods remains poorly understood and systematically unassessed. Method: We conduct a comprehensive evaluation of nine mainstream Android dynamic analysis tools against twelve representative ARA techniques, constructing the first standardized ARA benchmark. Our methodology includes a real-malware–driven ARA triggering environment, automated instrumentation, behavioral log comparison, and sandbox-escape detection. We further propose a taxonomy for root-cause attribution of tool failures, identifying four recurrent bypass patterns. Contribution/Results: All evaluated tools fail against at least 67% of the ARA techniques. Our work establishes an empirically grounded, reproducible evaluation framework that exposes critical design gaps in current dynamic analyzers. It provides actionable insights for developing robust, ARA-resilient analysis tools and significantly advances the reliability of mobile security analysis.

As the dominant mobile operating system, Android continues to attract a substantial influx of new applications each year. However, this growth is accompanied by increased attention from malicious actors, resulting in a significant rise in security threats to the Android ecosystem. Among these threats, the adoption of Anti-Runtime Analysis (ARA) techniques by malicious applications poses a serious challenge, as it hinders security professionals from effectively analyzing malicious behaviors using dynamic analysis tools. ARA technologies are designed to prevent the dynamic examination of applications, thus complicating efforts to ensure platform security. This paper presents a comprehensive empirical study that assesses the ability of widely-used Android dynamic analysis tools to bypass various ARA techniques. Our findings reveal a critical gap in the effectiveness of existing dynamic analysis tools to counter ARA mechanisms, highlighting an urgent need for more robust solutions. This work provides valuable insights into the limitations of existing tools and highlights the need for improved methods to counteract ARA technologies, thus advancing the field of software security and dynamic analysis.