A Multi-modality Feature Fusion Method for Android Malware Detection

The high market share and open-source nature of the Android system led to a significant increase in the number of malicious Android applications. It poses a lot of threats for users, such as financial costs, privacy breaches, and remote control. It is more efficient to construct accurate models to detect Android malware. We propose a novel Android malware detection framework MGIDroid. It considers two modality feature representations at the same: the function call graph (FCG) and Dex bytecode image features of Android applications. First, we construct an FCG that describes the relations between function calls for an Android application. We use GraphSAGE with the SAGPool model to extract FCG features. Next, we convert Dalvik Executable files of Android applications to Dex bytecode image, Resnet model with Convolutional Block Attention Module (CBAM) is adopted to extract image features that represent the data section of an Android application. Then, we use soft attention to fuse two modalities features to finish classification. Lastly, extensive experiments were conducted to evaluate the effectiveness of our approach. The results show that our proposed method outperforms other methods and achieves a high f1-score of 98.60%.