Abstract
With the widespread usage of Android smartphones in our daily lives, the Android platform has become an attractive target for malware authors. There is an urgent need for developing an automatic malware detection approach to prevent the spread of malware. The low code coverage and poor efficiency of the dynamic analysis limit the large-scale deployment of malware detection methods based on dynamic features. Therefore, researchers have proposed a plethora of detection approaches based on abundant static features to provide efficient malware detection. This paper explores the direction of Android malware detection based on graph representation learning. Without complex feature graph construction, we propose a new Android malware detection approach based on lightweight static analysis via the graph neural network (GNN). Instead of directly extracting Application Programming Interface (API) call information, we further analyze the source code of Android applications to extract high-level semantic information, which increases the barrier of evading detection. Particularly, we construct approximate call graphs from function invocation relationships within an Android application to represent this application and further extract intrafunction attributes, including required permission, security level, and Smali instructions’ semantic information via Word2Vec, to form the node attributes within graph structures. Then, we use the graph neural network to generate a vector representation of the application, and then malware detection is performed on this representation space. We conduct experiments on real-world application samples. The experimental results demonstrate that our approach implements high effective malware detection and outperforms state-of-the-art detection approaches.
Highlights
Android smartphones have been widely used in our daily lives. ey can be used to perform daily tasks such as instant messages, online shopping, entertainment, and even financial business. e popularity and openness of the Android platform have brought about opportunities for Android application developers and attracted a large number of malware authors
Most attackers prefer to bypass the security verification mechanism provided by the application market for publishing malware that is camouflaged as a “legitimate” application. us, there is an urgent need for an automatic market-scale malware detection approach to prevent the spread of malware
Given that the precise call graph construction and complex semantic information extraction are time consuming, the detection approach based on precision call graphs is not suitable for real-world large-scale Android malware detection. erefore, we develop a lightweight program analysis algorithm based on Apktool [10] to construct approximate call graphs. e workflow of the algorithm is shown in the following steps: (a) decompiling the application into Smali files; (b) scanning each Smali file to extract all defined functions and constructing the node for each function; (c) traversing each call statement (e.g., “invoke- ∗”) within each Smali file to identify all call relationships and building the edge between caller and callee nodes according to these call relationships
Summary
Android smartphones have been widely used in our daily lives. ey can be used to perform daily tasks such as instant messages, online shopping, entertainment, and even financial business. e popularity and openness of the Android platform have brought about opportunities for Android application developers and attracted a large number of malware authors. Eir products mainly use the signature-based method, which first generates unique signatures for specific types of malware within a large dataset and matches the generated signatures with suspicious applications to identify potential threats. This detection method can be evaded by a variety of code transformation techniques. Each application is a zipped file including the source code file, resources, assets, and Android configuration file (AndroidManifest.xml) with the extension of apk. It consists of four types of essential components: activity, service, content provider, and broadcast receiver. All components are required to register and declare in the Android configuration file of an application. e intent is a lightweight message delivery mechanism, which can perform intercomponent communications within an application and between different applications
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
