Android Malware Detection Method Based on Static Feature Combination in Graph Neural Networks

Android is currently the most widely used operating system for mobile smart terminals; however, the constant emergence of Android malware poses a significant threat to users. Some methods process the features extracted from static analysis to detect Android malware. These methods can reflect some attributes of the software but cannot capture the characteristics of the potential intentions behind malicious behavior; therefore, achieving good detection performance when facing Android malware with evasion capabilities is a challenge. To address this issue, this study proposes an Android malware detection method based on static feature combination in Graph Neural Network (GNN). The function call graph is extracted from the decompiled file. node2vec is used to construct the local structural features of each node, the functions of each node are analyzed, opcodes are extracted and classified, the Katz algorithm is used to calculate node importance, and the importance coefficient of each Application Program Interface (API) node in the graph is calculated for the Android malware and its malicious family according to the TF-IDF algorithm. These features are combined into node features, and feature self-looping is performed on important nodes to enhance the feature differences between nodes. On this basis, a classifier, DAg_MAL, based on a Directed GNN (DGCN) and Graph Attention Network (GAT) is designed. The classifier adopts a gPool layer, which can effectively capture the key call relationships in software behavior and exclude unimportant nodes. Experimental results show that the proposed method achieves good performance in both binary and multi-classification tasks, outperforming other similar methods.