BinCtx: Multi-Modal Representation Learning for Robust Android App Behavior Detection

• URL: http://arxiv.org/abs/2510.14344v1
• Date: Thu, 16 Oct 2025 06:29:06 GMT
• Title: BinCtx: Multi-Modal Representation Learning for Robust Android App Behavior Detection
• Authors: Zichen Liu, Shao Yang, Xusheng Xiao,
• Abstract summary: We present BINCTX, a learning approach that builds multi-modal representations of an app from a global bytecode-as-image view.<n>On real-world malware and benign apps, BINCTX attains a macro F1 of 94.73%, outperforming strong baselines by at least 14.92%.
• Score: 14.968903026957603
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Mobile app markets host millions of apps, yet undesired behaviors (e.g., disruptive ads, illegal redirection, payment deception) remain hard to catch because they often do not rely on permission-protected APIs and can be easily camouflaged via UI or metadata edits. We present BINCTX, a learning approach that builds multi-modal representations of an app from (i) a global bytecode-as-image view that captures code-level semantics and family-style patterns, (ii) a contextual view (manifested actions, components, declared permissions, URL/IP constants) indicating how behaviors are triggered, and (iii) a third-party-library usage view summarizing invocation frequencies along inter-component call paths. The three views are embedded and fused to train a contextual-aware classifier. On real-world malware and benign apps, BINCTX attains a macro F1 of 94.73%, outperforming strong baselines by at least 14.92%. It remains robust under commercial obfuscation (F1 84% post-obfuscation) and is more resistant to adversarial samples than state-of-the-art bytecode-only systems.

Related papers

• SEMA: Simple yet Effective Learning for Multi-Turn Jailbreak Attacks [53.97948802255959]
  We propose a framework that trains a multi-turn attacker without relying on any existing strategies or external data.<n>Prefilling self-tuning enables usable rollouts by fine-tuning on non-refusal, well-structured, multi-turn adversarial prompts.<n>We anchor harmful intent in multi-turn jailbreaks via an intent-drift-aware reward that combines intent alignment, compliance risk, and level of detail.
  arXiv  Detail & Related papers  (2026-02-06T16:44:57Z)
• UIXPOSE: Mobile Malware Detection via Intention-Behaviour Discrepancy Analysis [6.155604731137829]
  We introduce UIXPOSE, a source-code-agnostic framework that operates on both compiled and open-source apps.<n>This framework applies Intention Behaviour Alignment (IBA) to mobile malware analysis, aligning UI-inferred intent with runtime semantics.
  arXiv  Detail & Related papers  (2025-12-16T06:26:29Z)
• OmniSafeBench-MM: A Unified Benchmark and Toolbox for Multimodal Jailbreak Attack-Defense Evaluation [94.61617176929384]
  OmniSafeBench-MM is a comprehensive toolbox for multi-modal jailbreak attack-defense evaluation.<n>It integrates 13 representative attack methods, 15 defense strategies, and a diverse dataset spanning 9 major risk domains and 50 fine-grained categories.<n>By unifying data, methodology, and evaluation into an open-source, reproducible platform, OmniSafeBench-MM provides a standardized foundation for future research.
  arXiv  Detail & Related papers  (2025-12-06T22:56:29Z)
• "Digital Camouflage": The LLVM Challenge in LLM-Based Malware Detection [0.0]
  Large Language Models (LLMs) have emerged as promising tools for malware detection.<n>However, their reliability under adversarial compiler-level obfuscation is yet to be discovered.<n>This study empirically evaluate the robustness of three state-of-the-art LLMs against compiler-level obfuscation techniques.
  arXiv  Detail & Related papers  (2025-09-20T12:47:36Z)
• Decompiling Smart Contracts with a Large Language Model [51.49197239479266]
  Despite Etherscan's 78,047,845 smart contracts deployed on (as of May 26, 2025), a mere 767,520 ( 1%) are open source.<n>This opacity necessitates the automated semantic analysis of on-chain smart contract bytecode.<n>We introduce a pioneering decompilation pipeline that transforms bytecode into human-readable and semantically faithful Solidity code.
  arXiv  Detail & Related papers  (2025-06-24T13:42:59Z)
• Implicit Jailbreak Attacks via Cross-Modal Information Concealment on Vision-Language Models [20.99874786089634]
  Previous jailbreak attacks often inject malicious instructions from text into less aligned modalities, such as vision.<n>We propose a novel implicit jailbreak framework termed IJA that stealthily embeds malicious instructions into images via at least significant bit steganography.<n>On commercial models like GPT-4o and Gemini-1.5 Pro, our method achieves attack success rates of over 90% using an average of only 3 queries.
  arXiv  Detail & Related papers  (2025-05-22T09:34:47Z)
• Shelving it rather than Ditching it: Dynamically Debloating DEX and Native Methods of Android Applications without APK Modification [29.467587717542013]
  3DNDroid is a Dynamic Debloating approach targeting both DEX and Native methods in AnDroid apps.<n>It intercepts invocations of debloated bytecode methods to prevent their interpretation, compilation, and execution.<n> Evaluation demonstrates 3DNDroid's ability to debloat 187 DEX methods and 30 native methods across 55 real-world apps.
  arXiv  Detail & Related papers  (2025-01-09T04:34:00Z)
• Layer-Level Self-Exposure and Patch: Affirmative Token Mitigation for Jailbreak Attack Defense [55.77152277982117]
  We introduce Layer-AdvPatcher, a methodology designed to defend against jailbreak attacks.<n>We use an unlearning strategy to patch specific layers within large language models through self-augmented datasets.<n>Our framework reduces the harmfulness and attack success rate of jailbreak attacks.
  arXiv  Detail & Related papers  (2025-01-05T19:06:03Z)
• DetectBERT: Towards Full App-Level Representation Learning to Detect Android Malware [7.818978727292627]
  This paper introduces DetectBERT, which integrates correlated Multiple Instance Learning (c-MIL) with DexBERT to handle the high dimensionality and variability of Android malware. Our evaluation demonstrates that DetectBERT not only surpasses existing state-of-the-art detection methods but also adapts to evolving malware threats.
  arXiv  Detail & Related papers  (2024-08-29T08:47:25Z)
• JailbreakBench: An Open Robustness Benchmark for Jailbreaking Large Language Models [123.66104233291065]
  Jailbreak attacks cause large language models (LLMs) to generate harmful, unethical, or otherwise objectionable content. evaluating these attacks presents a number of challenges, which the current collection of benchmarks and evaluation techniques do not adequately address. JailbreakBench is an open-sourced benchmark with the following components.
  arXiv  Detail & Related papers  (2024-03-28T02:44:02Z)
• I3CL:Intra- and Inter-Instance Collaborative Learning for Arbitrary-shaped Scene Text Detection [93.62705504233931]
  We propose a novel method named Intra- and Inter-Instance Collaborative Learning (I3CL) Specifically, to address the first issue, we design an effective convolutional module with multiple receptive fields. To address the second issue, we devise an instance-based transformer module to exploit the dependencies between different text instances.
  arXiv  Detail & Related papers  (2021-08-03T07:48:12Z)
• Feature-level Malware Obfuscation in Deep Learning [0.0]
  We train a deep neural network classifier for malware classification using features of benign and malware samples. We demonstrate a steep increase in false negative rate (i.e., attacks succeed) by randomly adding features of a benign app to malware. We find that for API calls, it is possible to reject the vast majority of attacks, where using Intents or Permissions is less successful.
  arXiv  Detail & Related papers  (2020-02-10T00:47:23Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.