The dramatic increase in the number of malware poses a serious challenge to the Android platform and makes it difficult for malware analysis. In this paper, we propose a novel approach for Android malware detection and familial classification based on the Graph Convolutional Network (GCN). The general idea is to map apps and Android APIs into a large heterogeneous graph, converting the original problem into a node classification task. We build the “App-API” and “API-API” edges based on the invocation relationship and the API usage patterns, respectively. The heterogeneous graph is then fed into the GCN model, iteratively generating node embeddings that incorporate topological structure and node features. Eventually, the unlabeled apps are classified by their final embeddings. To our knowledge, this paper is the first study to explore the application of graph neural network in the field of malware classification. We develop a prototype system named GDroid. Experiments show that GDroid can effectively detect 98.99% of Android malware with a low false positive rate of less than 1%, outperforming the existing approaches. It also achieves an average accuracy of almost 97% in the malware familial classification task with surpassing the baselines. Additionally, we cooperate with QI-ANXIN Technology Research Institute to evaluate its real-world impact, and GDroid also maintains satisfactory performance in real-world scenarios.

恶意软件数量的急剧增加对Android平台构成了严峻的挑战，并使得难以进行恶意软件分析。在本文中，我们提出了一种基于图卷积网络（GCN）的Android恶意软件检测和家族分类的新方法。一般的想法是将应用程序和Android API映射到一个大型的异构图形中，将原始问题转换为节点分类任务。我们分别基于调用关系和API使用模式来构建“ App-API”和“ API-API”边缘。然后将异构图输入到GCN模型中，以迭代方式生成结合了拓扑结构和节点特征的节点嵌入。最终，未贴标签的应用将按其最终嵌入进行分类。据我们所知，本文是探索图神经网络在恶意软件分类领域中的应用的第一项研究。我们开发了一个名为GDroid的原型系统。实验表明，GDroid可以有效检测出98.99％的Android恶意软件，其误报率低于1％，优于现有方法。在恶意软件家族分类任务中，它还达到了超过基线的平均准确性，达到近97％。此外，我们与QI-ANXIN技术研究院合作评估其在现实世界中的影响，并且GDroid在现实环境中也保持令人满意的性能。99％的Android恶意软件的误报率低于1％，优于现有方法。在恶意软件家族分类任务中，它还达到了超过基线的平均准确性，达到近97％。此外，我们与QI-ANXIN技术研究院合作评估其在现实世界中的影响，并且GDroid在现实环境中也保持令人满意的性能。99％的Android恶意软件具有不到1％的低误报率，优于现有方法。在恶意软件家族分类任务中，它还达到了超过基线的平均准确性，达到近97％。此外，我们与QI-ANXIN技术研究院合作评估其在现实世界中的影响，并且GDroid在现实环境中也保持令人满意的性能。