To address the security threat posed by malicious advertising campaigns in Android applications—where ad networks are abused to distribute malware—this paper proposes an end-to-end detection and attribution framework grounded in application promotion graphs. Methodologically, it pioneers a hybrid approach integrating UI-driven dynamic exploration (via DroidBot) with heterogeneous graph modeling to construct fine-grained promotion relationship graphs; a Graph Attention Network (GAT) is then employed for malicious link identification, augmented by explainable subgraph mining to support root-cause attribution of promotion mechanisms. Evaluated on 18,627 real-world promotional ad samples, the framework achieves 92.3% detection accuracy and successfully reconstructs multiple cross-application stealthy malicious promotion paths. It represents the first systematic revelation of coordinated security risks within the mobile advertising ecosystem. This work establishes a scalable and interpretable paradigm for malicious ad detection in modern app distribution infrastructures.

In Android apps, their developers frequently place app promotion ads, namely advertisements to promote other apps. Unfortunately, the inadequate vetting of ad content allows malicious developers to exploit app promotion ads as a new distribution channel for malware. To help detect malware distributed via app promotion ads, in this paper, we propose a novel approach, named ADGPE, that synergistically integrates app user interface (UI) exploration with graph learning to automatically collect app promotion ads, detect malware promoted by these ads, and explain the promotion mechanisms employed by the detected malware. Our evaluation on 18, 627 app promotion ads demonstrates the substantial risks in the app promotion ecosystem.