MalLoc: Toward Fine-grained Android Malicious Payload Localization via LLMs

TL;DR

MalLoc uses large language models to precisely localize malicious payloads within Android malware, improving understanding and enabling targeted mitigation strategies for evolving threats.

Contribution

This paper introduces MalLoc, a novel LLM-based approach for fine-grained localization of malicious payloads in Android malware, surpassing traditional detection methods.

Findings

LLMs can effectively localize malicious payloads.

MalLoc enhances interpretability of malware analysis.

Experimental results show improved precision in payload localization.

Abstract

The rapid evolution of Android malware poses significant challenges to the maintenance and security of mobile applications (apps). Traditional detection techniques often struggle to keep pace with emerging malware variants that employ advanced tactics such as code obfuscation and dynamic behavior triggering. One major limitation of these approaches is their inability to localize malicious payloads at a fine-grained level, hindering precise understanding of malicious behavior. This gap in understanding makes the design of effective and targeted mitigation strategies difficult, leaving mobile apps vulnerable to continuously evolving threats. To address this gap, we propose MalLoc, a novel approach that leverages the code understanding capabilities of large language models (LLMs) to localize malicious payloads at a fine-grained level within Android malware. Our experimental results demonstrate the feasibility and effectiveness of using LLMs for this task, highlighting the potential of MalLoc to enhance precision and interpretability in malware analysis. This work advances beyond traditional detection and classification by enabling deeper insights into behavior-level malicious logic and opens new directions for research, including dynamic modeling of localized threats and targeted countermeasure development.