Efficient detection of vulnerabilities in Trusted Applications (TAs) running on Qualcomm’s Trusted Execution Environment (TEE) remains challenging due to the lack of lightweight, scalable analysis tools. Method: This paper proposes a lightweight partial emulation approach: it reverse-engineers TA behavior to construct a reusable, TA-specific emulation environment and integrates it with a fuzzing framework for automated vulnerability discovery. Unlike full-system emulation, our method avoids modeling the entire TEE stack, significantly reducing overhead and deployment complexity. Contribution/Results: We present the first open-source, Qualcomm-specific TA emulator. Experimental evaluation on real devices successfully uncovered multiple previously unknown security vulnerabilities in production TAs. The approach markedly improves the feasibility and efficiency of hardware-assisted security analysis, providing both a reusable methodology and practical tooling for TEE security research.

In recent years, the increasing awareness of cybersecurity has led to a heightened focus on information security within hardware devices and products. Incorporating Trusted Execution Environments (TEEs) into product designs has become a standard practice for safeguarding sensitive user information. However, vulnerabilities within these components present significant risks, if exploited by attackers, these vulnerabilities could lead to the leakage of sensitive data, thereby compromising user privacy and security. This research centers on trusted applications (TAs) within the Qualcomm TEE and introduces a novel emulator specifically designed for these applications. Through reverse engineering techniques, we thoroughly analyze Qualcomm TAs and develop a partial emulation environment that accurately emulates their behavior. Additionally, we integrate fuzzing testing techniques into the emulator to systematically uncover potential vulnerabilities within Qualcomm TAs, demonstrating its practical effectiveness in identifying real-world security flaws. This research makes a significant contribution by being the first to provide both the implementation methods and source codes for a Qualcomm TAs emulator, offering a valuable reference for future research efforts. Unlike previous approaches that relied on complex and resource-intensive full-system simulations, our approach is lightweight and effective, making security testing of TA more convenient.