Dynamic analysis of Android applications at the application layer has long been constrained by reliance on physical devices, suffering from poor scalability and limited reproducibility. This work proposes a systematic rehosting approach that migrates Android framework components and preinstalled vendor binaries from real-world firmware into a fully emulated environment. By employing tailored extraction and injection strategies, these components are seamlessly integrated into the AOSP build system to produce bootable emulator images that preserve system integrity and runtime compatibility. The method enables, for the first time, large-scale rehosting of vendor-customized Android firmware in QEMU across multiple SDK versions (31–33). Evaluation on 184 firmware samples demonstrates high success rates in both image construction and booting, with only a few failures attributable to missing dependencies or emulator limitations, thereby validating the feasibility and effectiveness of this approach for scalable and reproducible dynamic analysis.

Dynamic analysis of Android's application layer typically relies on physical devices, limiting scalability and reproducibility. To compensate, we introduce a systematic re-hosting method that relocates the Android framework and pre-installed software from real device firmware into a fully emulated environment. Our approach integrates vendor-specific components into the Android Open Source Project (AOSP) build system using tailored extraction and injection strategies, producing vendor-flavoured emulator images that preserve system integrity and runtime compatibility. This enables dynamic execution of real-world framework and application-layer components, including proprietary binaries and pre-installed apps, across multiple SDK versions. We evaluate our method on 184 firmware samples from SDK 31-33. It achieves high build and boot success rates, with residual failures primarily occurring during core-service initialization due to baseline strategy limitations, missing dependencies, device-protection checks, or emulator constraints. However, the modular design allows injection strategies to be extended for specific firmware, supporting broader compatibility and future research on automated, adaptive re-hosting. Though we identified potential for optimization through engineering vendor-specific solutions, our research demonstrates the feasibility of vendor-flavoured emulators for scalable, reproducible dynamic analysis.