Existing Android malware detection approaches struggle to effectively integrate semantic information from heterogeneous program flows—namely control flow, data flow, and inter-component communications (ICCs)—and lack context awareness, thereby limiting cross-flow semantic fusion accuracy. To address this, we propose the first context-aware heterogeneous flow semantic fusion framework. It uniformly models the three program flows as a heterogeneous information network (HIN), designs a multi-type meta-path joint learning mechanism, and incorporates a channel-attention deep neural network to achieve fine-grained, context-sensitive behavioral representation and malware classification. Leveraging flow2vec embedding, we evaluate our framework on a large-scale real-world dataset comprising over 31,000 Android applications. Experimental results demonstrate that our method achieves significantly higher detection accuracy than state-of-the-art baseline approaches.

Static analysis, a fundamental technique in Android app examination, enables the extraction of control flows, data flows, and inter-component communications (ICCs), all of which are essential for malware detection. However, existing methods struggle to leverage the semantic complementarity across different types of flows for representing program behaviors, and their context-unaware nature further hinders the accuracy of cross-flow semantic integration. We propose and implement MalFlows, a novel technique that achieves context-aware fusion of heterogeneous flow semantics for Android malware detection. Our goal is to leverage complementary strengths of the three types of flow-related information for precise app profiling. We adopt a heterogeneous information network (HIN) to model the rich semantics across these program flows. We further propose flow2vec, a context-aware HIN embedding technique that distinguishes the semantics of HIN entities as needed based on contextual constraints across different flows and learns accurate app representations through the joint use of multiple meta-paths. The representations are finally fed into a channel-attention-based deep neural network for malware classification. To the best of our knowledge, this is the first study to comprehensively aggregate the strengths of diverse flow-related information for assessing maliciousness within apps. We evaluate MalFlows on a large-scale dataset comprising over 20 million flow instances extracted from more than 31,000 real-world apps. Experimental results demonstrate that MalFlows outperforms representative baselines in Android malware detection, and meanwhile, validate the effectiveness of flow2vec in accurately learning app representations from the HIN constructed over the heterogeneous flows.