Android Malware Detection Method Based on Static Feature Combination in Graph Neural Networks

doi:10.19678/j.issn.1000-3428.0070073

Abstract

Abstract:

Android is currently the most widely used operating system for mobile smart terminals; however, the constant emergence of Android malware poses a significant threat to users. Some methods process the features extracted from static analysis to detect Android malware. These methods can reflect some attributes of the software but cannot capture the characteristics of the potential intentions behind malicious behavior; therefore, achieving good detection performance when facing Android malware with evasion capabilities is a challenge. To address this issue, this study proposes an Android malware detection method based on static feature combination in Graph Neural Network (GNN). The function call graph is extracted from the decompiled file. node2vec is used to construct the local structural features of each node, the functions of each node are analyzed, opcodes are extracted and classified, the Katz algorithm is used to calculate node importance, and the importance coefficient of each Application Program Interface (API) node in the graph is calculated for the Android malware and its malicious family according to the TF-IDF algorithm. These features are combined into node features, and feature self-looping is performed on important nodes to enhance the feature differences between nodes. On this basis, a classifier, DAg_MAL, based on a Directed GNN (DGCN) and Graph Attention Network (GAT) is designed. The classifier adopts a gPool layer, which can effectively capture the key call relationships in software behavior and exclude unimportant nodes. Experimental results show that the proposed method achieves good performance in both binary and multi-classification tasks, outperforming other similar methods.

Key words: Android, malware detection, static analysis, Graph Neural Network (GNN), feature embedding, digraph

摘要：

安卓(Android)是目前移动智能终端使用最广泛的操作系统, 但层出不穷的Android恶意软件给用户带来重大威胁。一些方法对静态分析提取的特征进行处理, 以实现Android恶意软件检测, 这些方法能够反映软件的一部分属性, 但无法捕捉软件潜在恶意行为意图的特征, 使得在面对具备逃避能力的Android恶意软件时难以取得良好的检测性能。为解决该问题, 提出一种基于静态特征组合的图神经网络Android恶意软件检测方法。从反编译文件中提取函数调用图, 采用node2vec构建每个节点的局部结构特征, 同时分析每个节点函数, 提取操作码并进行分类, 使用Katz算法计算节点重要程度, 并根据TF-IDF算法计算图中每个应用程序接口(API)节点对于该Android恶意软件以及所属恶意家族的重要系数, 将这些特征相结合作为节点特征, 对重要节点进行特征自环, 以增强节点间的特征差异。在此基础上, 设计基于有向图神经网络(DGCN)与图注意力网络(GAT)的分类器DAg_MAL, 该分类器采用gPool层, 能有效捕获软件行为的关键调用关系, 并筛除不重要的节点。实验结果表明, 该方法在二分类与多分类任务中都取得了良好的性能表现, 总体检测性能优于其他同类方法。

关键词: 安卓, 恶意软件检测, 静态分析, 图神经网络, 特征嵌入, 有向图

WEI Haodong, WAN Liang. Android Malware Detection Method Based on Static Feature Combination in Graph Neural Networks[J]. Computer Engineering, 2026, 52(3): 190-200.

韦昊东, 万良. 基于静态特征组合的图神经网络Android恶意软件检测方法[J]. 计算机工程, 2026, 52(3): 190-200.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0070073

https://www.ecice06.com/EN/Y2026/V52/I3/190

Figures/Tables 20

Fig.1 Android malware detection method framework

Fig.2 Example of BFS and DFS walk

Fig.3 Example of permission invocation

Fig.4 Example of directed graph

Fig.5 Structure of DGCN

Fig.6 DAg_MAL model structure

Fig.7 GCN-2L multi-classification confusion matrix

Fig.8 GCN-2L+GAT-1L multi-classification confusion matrix

Fig.9 DAg_MAL multi-classification confusion matrix

References 26

1	360互联网安全中心. 2023年上半年度中国手机安全状况报告[EB/OL]. [2024-05-05]. https://pop.shouji.360.cn/safe_report/Mobile-Security-Report-202306.pdf.
	360 Internet Security Center. China mobile phone security status report in the first half of 2023[EB/OL]. [2024-05-05]. https://pop.shouji.360.cn/safe_report/Mobile-Security-Report-202306.pdf. (in Chinese)
2	OR-MEIR O , NISSIM N , ELOVICI Y , et al. Dynamic malware analysis in the modern era—a state of the art survey. ACM Computing Surveys, 2020, 52(5): 1- 48.
3	LEI T , QIN Z , WANG Z B , et al. EveDroid: event-aware Android malware detection against model degrading for IoT devices. IEEE Internet of Things Journal, 2019, 6(4): 6668- 6680. doi: 10.1109/JIOT.2019.2909745
4	KIM T , KANG B , RHO M , et al. A multimodal deep learning method for Android malware detection using various features. IEEE Transactions on Information Forensics and Security, 2019, 14(3): 773- 788. doi: 10.1109/TIFS.2018.2866319
5	TAM K , FEIZOLLAH A , ANUAR N B , et al. The evolution of Android malware and Android analysis techniques. ACM Computing Surveys, 2017, 49(4): 1- 41.
6	ODUSAMI M, ABAYOMI-ALLI O, MISRA S, et al. Android malware detection: a survey[EB/OL]. [2024-05-05]. https://www.researchgate.net/publication/328495819_Android_Malware_Detection_A_Survey.
7	ENCK W, ONGTANG M, MCDANIEL P. On lightweight mobile phone application certification[C]//Proceedings of the 16th ACM Conference on Computer and Communications Security. New York, USA: ACM Press, 2009: 235-245.
8	SARMA B P, LI N H, GATES C, et al. Android permissions: a perspective combining risks and benefits[C]//Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. New York, USA: ACM Press, 2012: 13-22.
9	JEROME Q, ALLIX K, STATE R, et al. Using opcode-sequences to detect malicious Android applications[C]//Proceedings of the IEEE International Conference on Communications (ICC). Washington D.C., USA: IEEE Press, 2014: 914-919.
10	CANFORA G, DE LORENZO A, MEDVET E, et al. Effectiveness of opcode ngrams for detection of multi family Android malware[C]//Proceedings of the 10th International Conference on Availability, Reliability and Security. Washington D.C., USA: IEEE Press, 2015: 333-340.
11	YAN J P , QI Y , RAO Q F . LSTM-based hierarchical denoising network for Android malware detection. Security and Communication Networks, 2018, 2018(1): 5249190.
12	XIAO X S, YANG S. An image-inspired and CNN-based Android malware detection approach[C]//Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). Washington D.C., USA: IEEE Press, 2020: 1259-1261.
13	WU Y M, ZOU D Q, YANG W, et al. HomDroid: detecting Android covert malware by social-network homophily analysis[C]//Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York, USA: ACM Press, 2021: 216-229.
14	XU J Y , LI Y J , DENG R H , et al. SDAC: a slow-aging solution for Android malware detection using semantic distance based API clustering. IEEE Transactions on Dependable and Secure Computing, 2022, 19(2): 1149- 1163.
15	ACHARYA S , RAWAT U , BHATNAGAR R . A low computational cost method for mobile malware detection using transfer learning and familial classification using topic modelling. Applied Computational Intelligence and Soft Computing, 2022, 2022(1): 4119500.
16	NASSER A R , HASAN A M , HUMAIDI A J . DL-AMDet: deep learning-based malware detector for Android. Intelligent Systems with Applications, 2024, 21, 200318. doi: 10.1016/j.iswa.2023.200318
17	张雪芹, 王逸璇, 赵敏. 基于深度学习的Android恶意软件动态检测. 计算机工程与设计, 2024, 45(1): 10- 16.
	ZHANG X Q , WANG Y X , ZHAO M . Android malware dynamic detection method based on deep learning. Computer Engineering and Design, 2024, 45(1): 10- 16.
18	ARP D, SPREITZENBARTH M, HVBNER M, et al. Drebin: effective and explainable detection of Android malware in your pocket[C]//Proceedings of 2014 Network and Distributed System Security Symposium. New York, USA: ACM Press, 2014: 23-26.
19	褚堃, 万良, 马丹, 等. 深度可分离卷积在Android恶意软件分类的应用研究. 计算机应用研究, 2022, 39(5): 1534- 1540.
	CHU K , WAN L , MA D , et al. Research on application of depthwise separable convolution in Android malware classification. Application Research of Computers, 2022, 39(5): 1534- 1540.
20	FAN M , LIU J , LUO X P , et al. Android malware familial classification and representative sample selection via frequent subgraph analysis. IEEE Transactions on Information Forensics and Security, 2018, 13(8): 1890- 1905. doi: 10.1109/TIFS.2018.2806891
21	GROVER A, LESKOVEC J. node2vec: scalable feature learning for networks[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1607.00653.
22	Dalvik opcodes[EB/OL]. [2024-05-05]. http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html.
23	Android developer. Improve code inspection with annotations[EB/OL]. [2024-05-05]. https://developer.android.com/studio/write/annotations.
24	HEI Y M , YANG R Y , PENG H , et al. Hawk: rapid Android malware detection through heterogeneous graph attention networks. IEEE Transactions on Neural Networks and Learning Systems, 2024, 35(4): 4703- 4717. doi: 10.1109/TNNLS.2021.3105617
25	CANGEA C, VELIČKOVIĆ P, JOVANOVIĆ N, et al. Towards sparse hierarchical graph classifiers[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1811.01287.
26	GAO H , CHENG S Y , ZHANG W M . GDroid: Android malware detection and classification with graph convolutional network. Computers & Security, 2021, 106, 102264.

[1]	ZHANG Zhi, YIN Yukai, SUN Yiling, MENG Wenjing, PENG Chang. Research on Android Malware Detection Model Based on Multi-modal Feature Fusion [J]. Computer Engineering, 2026, 52(3): 243-254.
[2]	GUO Tiansheng, XIE Jinkui. Adaptive Adjustment Graph Augmentation and Representation Structures for Recommendation Model [J]. Computer Engineering, 2026, 52(2): 69-78.
[3]	JIA Jianghao, ZHANG Ziwei, GAO Liting, WEN Juan, XUE Yiming. Text Steganalysis Method Based on Hierarchy-Aware Matching [J]. Computer Engineering, 2026, 52(2): 245-252.
[4]	RAN Tongyu, TANG Mengzi, XIE Qing, LIU Yongjian. Semi-Supervised Ordinal Classification Framework Based on Information Fusion [J]. Computer Engineering, 2026, 52(2): 287-298.
[5]	XUE Yang, QIN Yao, ZHANG Shuxiang. Collaborative Recommendation Based on Graph Neural Network Clustering Subgraphs Using Dual Graph Attention Network [J]. Computer Engineering, 2026, 52(2): 89-100.
[6]	LI Qiang, TAN Xingyi, ZHENG Wei, LIU Zhen, YANG Wenhai. Graph Neural Network Inference Optimization Based on Adversarial Training and Contrastive Representation Distillation [J]. Computer Engineering, 2026, 52(1): 126-135.
[7]	LI Zhiren, ZHENG Weiguo. Link Prediction Based on Simple Path Graphs [J]. Computer Engineering, 2026, 52(1): 95-104.
[8]	LI Jiasong, CUI Yunhe, SHEN Guowei, GUO Chun, CHEN Yi, JIANG Chaohui. HGNM: Long-Short Term Flow Graph and Hybrid Graph Neural Network-based Saturation Attack Detection Method [J]. Computer Engineering, 2025, 51(8): 215-226.
[9]	HAO Zhifeng, LI Yanglin, XU Boyan, CAI Ruichu. Hypergraph Neural Networks for Cross-domain Text-to-SQL [J]. Computer Engineering, 2025, 51(5): 114-123.
[10]	YAO Xun, WANG Haipeng, HU Xinrong, YANG Jie. Multi-view Contrastive Recommendation Algorithm Based on Adaptive Enhancement [J]. Computer Engineering, 2025, 51(5): 103-113.
[11]	LIU Wenjie, CHEN Liang, REN Zhijie. Few-shot Relation Reasoning Model Based on Graph Neural Network and Meta-Learning [J]. Computer Engineering, 2025, 51(5): 124-132.
[12]	LIU Yunxiang, LIANG Zhichao. A Highly Efficient Traffic Prediction Model for Continuous Time-series Graph Attention Networks [J]. Computer Engineering, 2025, 51(4): 350-359.
[13]	CI Tianzhao, YANG Hao, ZHOU You, XIE Changsheng, WU Fei. Survey of Optimization Methods for Android Smartphone Storage Systems [J]. Computer Engineering, 2025, 51(3): 1-23.
[14]	LI Siyuan, ZHONG Xingyu, LI Kaiyin, XU Qingzhen. Strategy Teaching Research Based on Multilayer Graph Relationship and Reinforcement Learning [J]. Computer Engineering, 2025, 51(3): 122-130.
[15]	CHEN Depin, ZHAO Shen, JIAO Yiping, WANG Xiangxue, LÜ Hong, XU Jun. Graph Construction on Whole Image Slides Based on Attention and Learnable Threshold [J]. Computer Engineering, 2025, 51(3): 229-240.

Please choose a citation manager

Content to export