This repository contains the replication package for MalLoc, a framework that uses Large Language Models (LLMs) to detect and localize malicious behaviors in Android applications through progressive analysis.
.
├── 0_Data/ # Data directory
│ ├── APKs/ # Sample APK files and ground truth
│ └── Results/ # Analysis results
└── 1_Code/ # Source code
├── main.py # Main entry point
├── config.py # Configuration management
├── config.json # Default configuration
├── config.MalApp.json # Configuration for sample app
└── [Other utilities] # Supporting modules
- Python 3.8 or higher
- Java Development Kit (JDK) 8 or higher
- Android SDK tools (for APK analysis)
- Ollama (for local LLM support)
- OpenAI API key (for GPT models)
- Clone the repository:
git clone [repository-url]
cd MalLocICSME-
Install required Python packages.
-
Set up environment variables:
# Create .env file
echo "OPENAI_API_KEY=your_api_key_here" > .envThe framework can be configured through JSON configuration files:
config.json: Default configurationconfig.MalApp.json: Configuration for the sample malicious app
Key configuration parameters:
selected_behaviors: List of behaviors to analyze (1-12)llm_configs: LLM configurations (Ollama and/or OpenAI)analysis_approach: "progressive" or "baseline"input_path: Directory containing APK filesoutput_dir: Directory for analysis results
- Place APK files in the configured input directory
- Create a list of APK hashes to analyze
- Run the analysis:
python 1_Code/main.py --config config.jsonA two-phase analysis approach:
- Class-level analysis to identify potentially malicious classes
- Method-level analysis of identified classes
A simpler one-phase analysis approach that analyzes a class at once.
The analysis generates:
- Excel reports with detailed findings
- JSON logs of LLM interactions
- Summary statistics
- Per-behavior analysis results