Go to DBLP homepageGNNDroid: Graph-Learning Based Malware Detection for Android Apps With Native Code
Abstract: With the rapid development of mobile apps, developers tend to implement a variety of functionalities to support users’ demands. Thus, they involve the usage of native libraries to fulfill the luxuriant functionalities and maintain fast system responses, instead of using a unitary programming language (i.e., Java). Nonetheless, such an inter-language programming framework also introduces more security issues because attackers can conceal malicious behaviors at the native level to evade Android security vetting. Existing state-of-the-art detection tools mainly rely on the information extracted in the Java code to infer the potential malicious behaviors implemented in native code. None of them could simultaneously study the correlated behaviors in Java and native code. Therefore, in this paper, we proposed a static semantic-driven malware detection tool, GNNDroid, to distinguish malware by combining the behaviors implemented in both Java and native code. First, GNNDroid separately analyzes Java and native code to construct Java function call graphs and native function call graphs. It then utilizes a regex-based function recognition approach to explore the correlations between Java code and native code. According to the code correlations, GNNDroid constructs Multi-Relational Directed Graphs (MRDGs) to extract the comprehensive behaviors. Finally, it executes a Gated Graph Neural Network (GGNN) to analyze the MRDGs and distinguish malicious apps. We assessed GNNDroid by analyzing 40,000 Android apps and compared them with state-of-the-art tools. The result demonstrated that GNNDroid not only performs well when analyzing Java+native apps (i.e., apps implemented by both Java and native code), achieving an F1 of 98.57% but also effectively exploits Java only apps (i.e., apps implemented by Java code), achieving an F1 of 96.31%.
External IDs:dblp:journals/tdsc/XiZFMMSY25
Loading