MalLoc: Toward Fine-grained Android Malicious Payload Localization via LLMs

[en] The rapid evolution of Android malware poses significant challenges to the maintenance and security of mobile applications (apps). Traditional detection techniques often struggle to keep pace with emerging malware variants that employ advanced tactics such as code obfuscation and dynamic behavior triggering. One major limitation of these approaches is their inability to localize malicious payloads at a fine-grained level, hindering precise understanding of malicious behavior. This gap in understanding makes the design of effective and targeted mitigation strategies difficult, leaving mobile apps vulnerable to continuously evolving threats. To address this gap, we propose MalLoc, a novel approach that leverages the code understanding capabilities of large language models (LLMs) to localize malicious payloads at a fine-grained level within Android malware. Our experimental results demonstrate the feasibility and effectiveness of using LLMs for this task, highlighting the potential of MalLoc to enhance precision and interpretability in malware analysis. This work advances beyond traditional detection and classification by enabling deeper insights into behavior-level malicious logic and opens new directions for research, including dynamic modeling of localized threats and targeted countermeasure development.

Disciplines :

Computer science

Author, co-author :

SUN, Tiezhu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

ALECCI, Marco ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

PILGUN, Aleksandr ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

SONG, Yewei ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

TANG, Xunzhu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

SAMHI, Jordan ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

BISSYANDE, Tegawendé François d Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

External co-authors :

Language :

English

Title :

MalLoc: Toward Fine-grained Android Malicious Payload Localization via LLMs

Publication date :

07 September 2025

Event name :

The 41st International Conference on Software Maintenance and Evolution (ICSME) 2025 conference

Event date :

7 - 12 September 2025

By request :

Yes

Audience :

International

Main work title :

The 41st International Conference on Software Maintenance and Evolution (ICSME) 2025 conference

Publisher :

IEEE

Peer reviewed :

Peer reviewed

FnR Project :

FNR16344458 - REPROCESS - Pre And Post Processing For Comprehensive And Practical Android App Static Analysis, 2021 (01/07/2022-30/06/2025) - Jacques Klein
FNR18154263 - UNLOCK - Breaking The Barriers Of Android Dynamic Analysis With Static Analysis, 2023 (01/01/2024-31/12/2026) - Jacques Klein

Available on ORBilu :

since 09 September 2025

Statistics

Number of views

68 (7 by Unilu)

Number of downloads

52 (5 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenAlex citations

Bibliography

A. Turner, "How many android users are there? global and us statistics (2025), " https://www.bankmycell.com/blog/how-many-Android-users-Are-There, 2025, accessed: 2025-06-02.
S. Dong, M. Li, W. Diao, X. Liu, J. Liu, Z. Li, F. Xu, K. Chen, X.Wang, and K. Zhang, "Understanding android obfuscation techniques: A large-scale investigation in the wild, " in Security and privacy in communication networks: 14th international conference, secureComm 2018, Singapore, Singapore, August 8-10, 2018, proceedings, part i. Springer, 2018, pp. 172-192.
Y. Zhang, S. Torabi, J. Yan, and C. Assi, "Dynamic trigger-based attacks against next-generation iot malware family classifiers, " Computers & Security, vol. 149, p. 104187, 2025.
K. Tian, D. Yao, B. G. Ryder, G. Tan, and G. Peng, "Detection of repackaged android malware with code-heterogeneity features, " IEEE Transactions on Dependable and Secure Computing, vol. 17, no. 1, pp. 64-77, 2017.
P. Faruki, R. Bhan, V. Jain, S. Bhatia, N. ElMadhoun, and R. Pamula, "A survey and evaluation of android-based malware evasion techniques and detection frameworks, " Information, vol. 14, no. 7, p. 374, 2023.
A. Ruggia, D. Nisi, S. Dambra, A.Merlo, D. Balzarotti, and S. Aonzo, "Unmasking the veiled: A comprehensive analysis of android evasive malware, " in Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, 2024, pp. 383-398.
D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and C. Siemens, "Drebin: Effective and explainable detection of android malware in your pocket." in Ndss, vol. 14, no. 1, 2014, pp. 23-26.
Y.Wu, X. Li, D. Zou, W. Yang, X. Zhang, and H. Jin, "Malscan: Fast market-wide mobile malware scanning by social-network centrality analysis, " in 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 2019, pp. 139-150.
N. Daoudi, J. Samhi, A. K. Kabore, K. Allix, T. F. Bissyande, and J. Klein, "Dexray: A simple, yet effective deep learning approach to android malware detection based on image representation of bytecode, " in Deployable Machine Learning for Security Defense: Second International Workshop, MLHat 2021, Virtual Event, August 15, 2021, Proceedings 2. Springer, 2021, pp. 81-106.
T. Sun, N. Daoudi, K. Allix, and T. F. Bissyande, "Android malware detection: looking beyond dalvik bytecode, " in 2021 36th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW). IEEE, 2021, pp. 34-39.
T. Sun, N. Daoudi, K. Kim, K. Allix, T. F. Bissyande, and J. Klein, "Detectbert: Towards full app-level representation learning to detect android malware, " in Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, 2024, pp. 420-426.
T. Sun, N. Daoudi, K. Allix, J. Samhi, K. Kim, X. Zhou, A. K. Kabore, D. Kim, D. Lo, T. F. Bissyande et al., "Android malware detection based on novel representations of apps, " in Malware: Handbook of Prevention and Detection. Springer, 2024, pp. 197-212.
F. Alswaina and K. Elleithy, "Android malware family classification and analysis: Current status and future directions, " Electronics, vol. 9, no. 6, p. 942, 2020.
C. Ding, N. Luktarhan, B. Lu, andW. Zhang, "A hybrid analysis-based approach to android malware family classification, " Entropy, vol. 23, no. 8, p. 1009, 2021.
H.-I. Kim, M. Kang, S.-J. Cho, and S.-I. Choi, "Efficient deep learning network with multi-streams for android malware family classification, " IEEE Access, vol. 10, pp. 5518-5532, 2021.
S. Freitas, R. Duggal, and D. H. Chau, "Malnet: A large-scale image database of malicious software, " in Proceedings of the 31st ACM International Conference on Information & Knowledge Management, 2022, pp. 3948-3952.
T. Sun, N. Daoudi, W. Pian, K. Kim, K. Allix, T. F. Bissyande, and J. Klein, "Temporal-incremental learning for android malware detection, " ACM Transactions on Software Engineering and Methodology, vol. 34, no. 4, pp. 1-30, 2025.
A. Narayanan, M. Chandramohan, L. Chen, and Y. Liu, "A multi-view context-Aware approach to android malware detection and malicious code localization, " Empirical Software Engineering, vol. 23, pp. 1222-1274, 2018.
T. Sun, K. Allix, K. Kim, X. Zhou, D. Kim, D. Lo, T. F. Bissyande, and J. Klein, "Dexbert: Effective, task-Agnostic and fine-grained representation learning of android bytecode, " IEEE Transactions on Software Engineering, vol. 49, no. 10, pp. 4691-4706, 2023.
L. Wang, H. Wang, R. He, R. Tao, G. Meng, X. Luo, and X. Liu, "Malradar: Demystifying android malware in the new era, " Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 6, no. 2, pp. 1-27, 2022.
E.Mariconti, L. Onwuzurike, P. Andriotis, E. De Cristofaro, G. Ross, and G. Stringhini, "Mamadroid: Detecting android malware by building markov chains of behavioral models, " arXiv preprint arXiv:1612.04433, 2016.
J. Liu, J. Zeng, F. Pierazzi, L. Cavallaro, and Z. Liang, "Unraveling the key of machine learning solutions for android malware detection, " arXiv preprint arXiv:2402.02953, 2024.
J. Samhi, L. Li, T. F. Bissyande, and J. Klein, "Difuzer: Uncovering suspicious hidden sensitive operations in android apps, " in 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE). Los Alamitos, CA, USA: IEEE Computer Society, May 2022, pp. 723-735. [Online]. Available: https://doi.ieeecomputersociety.org/10.1145/3510003.3510135
M. Alecci, J. Samhi, L. Li, T. F. Bissyande, and J. Klein, " Improving Logic Bomb Identification in Android Apps via Context-Aware Anomaly Detection , " IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 05, pp. 4735-4753, Sep. 2024. [Online]. Available: https://doi.ieeecomputersociety.org/10.1109/TDSC.2024.3358979
X. Qian, X. Zheng, Y. He, S. Yang, and L. Cavallaro, "Lamd: Context-driven android malware detection and classification with llms, " arXiv preprint arXiv:2502.13055, 2025.
"Dalvik executable format, " https://source.android.com/docs/core/runtime/dex-format, accessed: 2025-06-02.
"Apktool, " https://apktool.org/, accessed: 2025-06-02.
M. Alecci, N. Sannier, M. Ceci, S. Abualhaija, J. Samhi, D. Bianculli, T. F. d. A. BISSYANDE, and J. Klein, "Toward llm-driven gdpr compliance checking for android apps, " in 33rd ACM International Conference on the Foundations of Software Engineering (FSE Companion?25), 2025.
A. Prasad, A. Koller, M. Hartmann, P. Clark, A. Sabharwal, M. Bansal, and T. Khot, "Adapt: As-needed decomposition and planning with language models, " in Findings of the Association for Computational Linguistics: NAACL 2024, 2024, pp. 4226-4252.
M. Abdin, J. Aneja, H. Behl, S. Bubeck, R. Eldan, S. Gunasekar, M. Harrison, R. J. Hewett, M. Javaheripi, P. Kauffmann et al., "Phi-4 technical report, " arXiv preprint arXiv:2412.08905, 2024.
OpenAI, "Gpt-4.1 api, " https://openai.com/index/gpt-4-1/, 2025.