HeterSupervise: package-level android malware analysis based on heterogeneous graph

In order to evade the detection of mobile security products, Android malware has become more and more complex, meanwhile, new variants grow rapidly. Facing variant malware, traditional detection methods ignore the complex interrelationships between Apps, and the purity of the detection is insufficient, hence cannot accurately and efficiently detect their complex behaviors, even difficult to detect. To combat the evolving Android malware attacks, we proposed method HeterSupervise which can analyze Android malware from an essential perspective. Firstly, We extracting various static and dynamic features from Apps using HSandroguard. To model different types of entities (i.e., code regions, sensitive API, package, signature) and rich relations among them, we present a heterogeneous graph for modeling. Secondly, in order to get the feature representation of each node, we design the HGN-embedding method to obtain the embedding of nodes belong to different types. Thirdly, we build HG-CNN classifiers based on various typical CNNs to detect unknown Android Apps. We integrate the above methods as a system Heter-Supervisor. Comprehensive experiments show that HeterSupervisor achieves more than 97% accuracy, and outperforms the state-of-the-art methods in efficiency with 60% improvement.