ForeDroid: Scenario-Aware Analysis for Android Malware Detection and Explanation

Android malware continues to evolve, posing significant challenges in generalization, fine-grained detection, and interpretability for existing detection systems. Existing methods struggle to generalize to unseen malware, lack fine-grained behavioral understanding, and provide limited interpretability due to their reliance on rigid rules or the inability to recover complete causal behavior paths. To this end, we present ForeDroid, a unified and interpretable framework for Android malware detection and explanation via scenario-aware analysis. ForeDroid models malicious intent as behavioral inconsistencies within functional scenarios. It clusters semantically coherent scenarios, extracts sensitive API call chains, and summarizes them into natural language using LLMs. These summaries are embedded and compared against benign behavior distributions within the same scenario for unsupervised anomaly detection. High-risk behaviors showing strong semantic inconsistency are further interpreted by an LLM-driven module that generates fine-grained anomaly reports. We evaluated ForeDroid on two challenging tasks: zero-day malware detection and fine-grained behavior analysis. The result shows ForeDroid outperforms MaMaDroid, MalScan, DeepRefiner, and a continuous learning-based approach in zero-day malware detection under the temporal-split setting. Besides, ForeDroid achieves an F1-score of 0.94 in fine-grained behavior detection on the manually annotated GPMalware dataset, surpassing ProMal. Our results demonstrate ForeDroid's ability to bridge low-level call graph analysis with high-level semantic reasoning, making it a practical, interpretable solution for malware detection.