LAMD: Context-driven Android Malware Detection and Classification with LLMs

TL;DR

LAMD leverages large language models with context extraction and tier-wise reasoning to improve Android malware detection, addressing challenges of code complexity and explainability in dynamic threat environments.

Contribution

The paper introduces LAMD, a novel framework that enhances LLM-based Android malware detection through context-driven code analysis and multi-tier reasoning, overcoming existing limitations.

Findings

LAMD outperforms traditional detectors in real-world tests.

The framework effectively isolates security-critical code regions.

Factual verification reduces LLM hallucinations during analysis.

Abstract

The rapid growth of mobile applications has escalated Android malware threats. Although there are numerous detection methods, they often struggle with evolving attacks, dataset biases, and limited explainability. Large Language Models (LLMs) offer a promising alternative with their zero-shot inference and reasoning capabilities. However, applying LLMs to Android malware detection presents two key challenges: (1)the extensive support code in Android applications, often spanning thousands of classes, exceeds LLMs' context limits and obscures malicious behavior within benign functionality; (2)the structural complexity and interdependencies of Android applications surpass LLMs' sequence-based reasoning, fragmenting code analysis and hindering malicious intent inference. To address these challenges, we propose LAMD, a practical context-driven framework to enable LLM-based Android malware detection. LAMD integrates key context extraction to isolate security-critical code regions and construct program structures, then applies tier-wise code reasoning to analyze application behavior progressively, from low-level instructions to high-level semantics, providing final prediction and explanation. A well-designed factual consistency verification mechanism is equipped to mitigate LLM hallucinations from the first tier. Evaluation in real-world settings demonstrates LAMD's effectiveness over conventional detectors, establishing a feasible basis for LLM-driven malware analysis in dynamic threat landscapes.