This study addresses the growing use of advanced obfuscation techniques by Android malware to evade static analysis and signature-based detection, with a focus on WebAssembly (Wasm) as an underexplored concealment vector. We systematically investigate the mechanisms by which Wasm is embedded and executed within Android applications, construct a threat model, and develop proof-of-concept (PoC) samples that empirically demonstrate Wasm’s potential for concealing malicious payloads. Through integrated static and dynamic analysis complemented by reverse engineering, we dissect Wasm’s integration pathways and runtime behaviors. Our PoCs successfully bypass detection by mainstream security tools—including VirusTotal and MobSF—by evading indicator-of-compromise (IoC) recognition in real-world environments, thereby validating Wasm as a viable and concerning new evasion paradigm.

In recent years, stealthy Android malware has increasingly adopted sophisticated techniques to bypass automatic detection mechanisms and harden manual analysis. Adversaries typically rely on obfuscation, anti-repacking, steganography, poisoning, and evasion techniques to AI-based tools, and in-memory execution to conceal malicious functionality. In this paper, we investigate WebAssembly (Wasm) as a novel technique for hiding malicious payloads and evading traditional static analysis and signature-matching mechanisms. While Wasm is typically employed to render specific gaming activities and interact with the native components in web browsers, we provide an in-depth analysis on the mechanisms Android may employ to include Wasm modules in its execution pipeline. Additionally, we provide Proofs-of-Concept to demonstrate a threat model in which an attacker embeds and executes malicious routines, effectively bypassing IoC detection by industrial state-of-the-art tools, like VirusTotal and MobSF.