Android Malware Detection using Function Call Graph with Graph Convolutional Networks

Abstract

As smartphone adoption is happening at a rapid rate, its threat landscape is also widening. Android is a popular smartphone Operating System (OS) which was subject to many malware attacks in recent years, compromising the privacy and security of its users. Although many works are developed to detect Android malware, few use graphs extracted from the Android Package (APK) directly as an input to the deep learning model due to the lack of suitable architectures. Graph Convolutional Networks (GCNs) are becoming a popular architecture in the deep learning community that can directly take a graph as an input. However, their applicability to Android malware detection is less explored. To bridge this gap, this work proposes an Android malware detection model using GCNs based on Function Call Graph (FCG). FCG captures the caller-callee relationships between the methods inside an APK as a directed graph. Every node in FCG is assigned a feature vector that represents its characteristics. To evaluate the performance of the proposed model, a set of experiments is conducted by varying GCN algorithms, node features and the number of GCN layers in the model. A recent Android malware dataset is used to conduct experiments. As GCNs consider the node count of the FCG, the dataset is balanced using a new technique to make node count distributions of benign and malware APKs similar. As a result of these experiments, the maximum accuracy of 92.29% with the F1-score of 0.9223 is obtained, suggesting that the GCNs have the potential to detect Android malware.