Traditional Android malware detection struggles to precisely localize malicious payloads and lacks fine-grained, behavior-level identification capability, hindering explainable analysis and targeted defense design. To address this, we propose the first LLM-based framework for function- and statement-level localization of Android malicious payloads, synergistically integrating large language models’ code comprehension with static analysis to semantically reconstruct and interpret malicious intent at the behavioral logic level. Our approach enables dynamic threat modeling, significantly improving both localization accuracy and interpretability. Extensive experiments on multiple benchmark datasets demonstrate substantial performance gains over state-of-the-art conventional methods. This work establishes the first LLM-driven, fine-grained malicious behavior localization framework for mobile security, pioneering a new paradigm for precise, explainable Android malware analysis.

The rapid evolution of Android malware poses significant challenges to the maintenance and security of mobile applications (apps). Traditional detection techniques often struggle to keep pace with emerging malware variants that employ advanced tactics such as code obfuscation and dynamic behavior triggering. One major limitation of these approaches is their inability to localize malicious payloads at a fine-grained level, hindering precise understanding of malicious behavior. This gap in understanding makes the design of effective and targeted mitigation strategies difficult, leaving mobile apps vulnerable to continuously evolving threats. To address this gap, we propose MalLoc, a novel approach that leverages the code understanding capabilities of large language models (LLMs) to localize malicious payloads at a fine-grained level within Android malware. Our experimental results demonstrate the feasibility and effectiveness of using LLMs for this task, highlighting the potential of MalLoc to enhance precision and interpretability in malware analysis. This work advances beyond traditional detection and classification by enabling deeper insights into behavior-level malicious logic and opens new directions for research, including dynamic modeling of localized threats and targeted countermeasure development.