MARA: A Malware Analysis Reasoning Agent for Interpretable Android Malware Detection

<b>MARA</b> is a next-generation Android malware detection framework that transforms fragmented static and behavioral signals into coherent, human-understandable malicious behavior chains. Unlike traditional black-box detectors or feature-centric learning models, MARA treats malware detection as a <b>behavior-centric reasoning problem</b>, powered by structured perception and multi-stage LLM reasoning.MARA introduces a unified <i>perception–reasoning–action</i> pipeline that enables transparent, explainable, and semantically grounded Android malware analysis, offering both high detection accuracy and strong interpretability.🔍 <b>Key Features</b><b>1. Behavior-Centric Evidence Structuring (BCES)</b>MARA reorganizes heterogeneous Android artifacts—permissions, API calls, components, ICC flows, and lightweight runtime signals—into a <b>structured, behavior-oriented evidence space</b>.<br>This design eliminates semantic fragmentation and exposes hidden relationships across signals such as:<br><br>sensitive permission + data-access APIexported component + privilege operationbackground tasks + network exfiltrationBCES builds the foundation for coherent, chain-based reasoning.<b>2. Multi-Stage Behavior Reasoning (BCMR)</b>Instead of producing a single-pass prediction, MARA performs <b>progressive reasoning</b> using an LLM:<b>Stage 1 — Initial Inspection</b><br>Identify suspicious behaviors at the evidence-block level.<b>Stage 2 — Context Enrichment</b><br>Infer missing or implicit cross-block relationships.<b>Stage 3 — Behavior-Chain Construction</b><br>Reconstruct the complete malicious behavior chain and make the final decision.This staged reasoning design enforces explicit, causal, and verifiable analysis—far more transparent than standard CoT or one-shot LLM inference.<b>3. Explanation-Based Detection</b>MARA outputs both:<b>a final malware/benign decision</b>, and<b>a behavior-grounded explanation</b> that mirrors its actual reasoning trajectoryThis ensures high interpretability and eliminates the problem of post-hoc “fabricated explanations” common in LLM detectors.📊 <b>Performance Highlights</b>Across benchmark datasets (Drebin, AMD, CICMalDroid), MARA delivers:<b>97.3% accuracy</b> on Drebin<b>96.4% accuracy</b> on AMD<b>94.7% accuracy</b> on CICMalDroid<b>Highest explanation quality</b> across clarity, semantic relevance, justification, and behavior-chain fidelity<b>Strong robustness</b> under obfuscation (renaming, packing, encryption)MARA consistently outperforms traditional static detectors, deep learning fusion models, and recent LLM-based malware analysis frameworks.🛡️ <b>Robustness to Obfuscation</b>MARA’s behavior-centric design allows it to remain stable under:symbol renamingstring/code encryptionDEX packingNOP insertionAccuracy degradation is <b>2.5–4.0%</b>, significantly lower than existing baselines (5–10%).