This study addresses semantic discrepancies between parallel Java and Kotlin implementations in the Android framework, which can introduce security vulnerabilities. It presents ParaDroid, the first systematic analysis framework for detecting cross-language semantic differences at scale. ParaDroid integrates a bytecode-level intermediate representation, class-to-source mapping reconstruction, large language model–driven semantic reasoning, and comparative static and dynamic behavior analysis. Applied to 329 pairs of parallel methods in AOSP Android versions 14 through 16, the approach identified 37 instances of fragile semantic divergence, leading to the confirmation of three security vulnerabilities—two of which have been assigned CVE identifiers—and two functional defects.

Android has adopted Kotlin alongside Java across apps and core system components. During this shift, we observe parallel implementations in the Android Open Source Project (AOSP) where the same component is implemented in both Java and Kotlin. In principle, their functional purposes are identical. In practice, subtle semantic divergences can appear. Such divergences are not vulnerabilities by themselves, but they provide useful clues that may reveal flaws in surrounding enforcement logic. To the best of our knowledge, this paper presents the first systematic study of Java-Kotlin parallel implementations in the Android framework and examines their security implications. We design and build ParaDroid, an analysis framework that identifies parallel methods at scale and compares their behaviors. ParaDroid normalizes code into a bytecode-level intermediate representation, reconstructs class-to-source mappings, and uses large language models to reason about method semantics and identify behavioral divergences. Evaluated on AOSP Android 14-16, ParaDroid identified 329 parallel method pairs and 37 vulnerable divergences. We responsibly disclosed the exploitable issues to the Android Security Team. Three vulnerabilities and two bugs have been confirmed, and two CVE IDs have been assigned. Our results demonstrate that parallel Java-Kotlin code paths provide a practical surface for discovering security flaws in modern Android.