Explainable android malware detection and malicious code localization using graph attention

With the escalating threat of mobile malware, there is a growing need for techniques that not only detect malware but also precisely identify and localize the malicious code within applications. Existing security solutions, including AI-based approaches, often function as black boxes, offering limited insights into the actual code responsible for malicious behavior. Manual analysis remains time-consuming and reliant on scarce expertise. To address these challenges, we propose XAIDroid, a novel framework that leverages graph neural networks (GNNs) and graph attention mechanisms to automatically locate malicious code snippets within malware. By representing code as API call graphs, XAIDroid captures semantic context and enhances resilience to obfuscation. Utilizing the Graph Attention Model (GAM) and Graph Attention Network v2 (GATv2), we assign importance scores to API nodes, facilitating focused attention on critical regions for malicious code localization. Evaluation on synthetic and real-world malware datasets demonstrates the efficacy of our approach, achieving high recall and F1-score rates for identifying malicious code. The successful implementation of automatic malicious code localization enhances the interpretability of malware analysis by explicitly identifying malicious code regions, enables scalable analysis by eliminating the need for manual localization baselines during training, and improves reliability through consistent performance on previously unseen malware variants.