I'm Yanick Fratantonio, an Assistant Professor in the S3 group at EURECOM. My research focus is mobile systems security and privacy. I work to make users safer by detecting and preventing malware and flaws in apps and mobile operating systems before attackers have a chance to exploit them. Recent projects I was involved with include Cloak & Dagger (Android UI attacks), phishing attacks on password managers, ultrasound cross-device tracking, and Drammer. I received my PhD from UC Santa Barbara. I am also a Shellphish hacker, NOPS academic advisor, and part of OOO, the current DEF CON CTF organizers. I am a 100% premium-quality Italian.

Contact Information

yanick (at) fratantonio (dot) me
PDF (please email me for full version)
Google Scholar
Public profile
Public Key
PGP key
Social Links


My research field is systems security and privacy. With a main focus on mobile devices, I work on new techniques to uncover and tackle new classes of vulnerabilites and malware. My research has highlighted flaws in many aspects of mobile devices, including bootloaders, hardware memory modules, cryptography, dynamic code loading, authentication, fingerprint API, and more recently on mobile Graphical User Interfaces. I also worked on the detection of malicious logic bombs, native code components, and privacy aspects, such as data leaks and emerging ultrasound-based cross-device tracking mechanisms. I'm also interested in other low-level aspects of system security, such as binary analysis.


I have recently created a new class on Mobile Security (MOBISEC), first taught in Fall 2018 at EURECOM. This was designed to be an hands-on course, and it covers topics such as the mobile ecosystem, the design and architecture of mobile operating systems, application analysis, reverse engineering, malware detection, vulnerability assessment, automatic static and dynamic analysis, and exploitation and mitigation techniques. All the material/slides are available at mobisec.reyammer.io, and all the wargame-like challenges are available at challs.reyammer.io.


I am a big fan of Capture The Flag (CTF) competitions and wargames — that is how I and many friends got into security. I recently joined the OOO team, the current DEF CON CTF organizers. I am also a core member of the Shellphish hacking team with which I played many competitions and organized many editions of the UCSB iCTF. I'm now also involved with the NOPS team, the EURECOM's hacking team, with which we organize weekly hackmeetings. I also like to write hacking tools (few years back I wrote ShellNoob, a shellcode writing toolkit, now part of Kali Linux). If you live in the area, you like hacking, and you may be interested in joining the team, get in touch!

Recent News

  • July 2019, I have released all the challenges of my Mobile Security (MOBISEC) class: challs.reyammer.io
  • March 2019, I have released all the slides (~800!) of my Mobile Security (MOBISEC) class: mobisec.reyammer.io
  • July 2018, Two papers on new Android UI attacks and defenses accepted at CCS'18!
  • May 2018, I gave an invited talk at Google on the future of Android security.
  • May 2018, With the OOO team, we have hosted DEF CON CTF Quals 2018.
  • Jan. 2018, I will serve on a number of program committees, including ICDCS, DIMVA, USENIX's WOOT, ESSoS, EuroSec, and MALIoT.
  • Oct. 2017, Our paper on the (mis)use of the fingerprint Android API has been accepted to NDSS'18.
  • Sept. 2017, I joined EURECOM as Assistant Professor!
  • Aug. 2017, Our paper on account hijack vulnerabilities in mobile apps was accepted at ACSAC'17.
  • July 2017, I will serve on the program committee for the IEEE International Conference on Distributed Computing Systems (ICDCS 2018) security track.
  • May 2017, Cloak & Dagger hits the news!
  • May 2017, Cloak & Dagger wins Distinguished Practical Paper Award at IEEE S&P!
  • May 2017, Our Cloak & Dagger work goes public at cloak-and-dagger.org
  • May 2017, Our paper on the security of mobile bootloaders got accepted at USENIX Security!
  • Apr. 2017, Our Cloak & Dagger work on Android UI attacks was accepted at BH USA 2017!
  • Mar. 2017, I am extremely happy to announce that, starting from September 2017, I will join EURECOM as an Assistant Professor!
  • Feb. 2017, My paper "Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop" got accepted at IEEE S&P 2017!
  • Oct. 2016, Our paper on the privacy and security of the ultrasound ecosystem got accepted at PETS'17!
  • Oct. 2016, Our works on Drammer and Ultrasound tracking are in the news!
  • Oct. 2016, Our paper on a new technique to perform privacy leak detection got accepted at NDSS'17!
See all news here.

Professional Highlights and Awards

  • I joined EURECOM as Assistant Professor.
  • I earned my PhD from UC Santa Barbara.
  • Our work "Cloak & Dagger" on Android UI attacks won the Distinguished Practical Paper Award at IEEE S&P 2017.
  • Our work "Drammer" on rowhammer attacks on mobile devices won the Pwnie Award for Best Privilege Escalation Bug 2017 and the CSAW Applied Research Best Paper Award 2017.
  • I have received the "2015 Outstanding Student Award" from the Computer Science deptartment at UC Santa Barbara.'
  • My work has appeared in many major security (IEEE S&P, USENIX Security, ACM CCS, NDSS, PETS, Black Hat) and software engineering (ICSE, FSE) venues.
  • My research has been covered by many international press venues, such as SlashDot, WIRED, Ars Technica, etc. See press coverage.
  • I am part of Shellphish, NOPS, and OOO, the current DEF CON CTF organizers.

© 2019 Yanick Fratantonio