{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T04:36:01Z","timestamp":1776918961695,"version":"3.51.2"},"reference-count":47,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"funder":[{"DOI":"10.13039\/501100004410","name":"Scientific and Technological Research Council of Turkey","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100004410","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Journal of Information Security and Applications"],"published-print":{"date-parts":[[2026,5]]},"DOI":"10.1016\/j.jisa.2026.104385","type":"journal-article","created":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T22:15:07Z","timestamp":1770243307000},"page":"104385","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":3,"special_numbering":"C","title":["Explainable android malware detection and malicious code localization using graph attention"],"prefix":"10.1016","volume":"98","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-2334-762X","authenticated-orcid":false,"given":"Merve Cigdem","family":"Ipek","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5814-9973","authenticated-orcid":false,"given":"Sevil","family":"Sen","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.jisa.2026.104385_bib0001","unstructured":"Trend Micro. Trend micro cloud app security threat report 2021. Online; 2021. https:\/\/www.trendmicro.com\/vinfo\/ru\/security\/research-and-analysis\/threat-reports\/roundup\/trend-micro-cloud-app-security-threat-report-2021."},{"key":"10.1016\/j.jisa.2026.104385_bib0002","unstructured":"Trend Micro. Pushing the outer limits: Trend micro 2024 midyear cybersecurity threat report. Online; 2024. https:\/\/www.trendmicro.com\/vinfo\/us\/security\/ research-and-analysis\/threat-reports\/roundup\/pushing-the-outer-limits-trend-micro-2024-midyear-cybersecurity-threat-report."},{"issue":"3","key":"10.1016\/j.jisa.2026.104385_bib0003","doi-asserted-by":"crossref","first-page":"2025","DOI":"10.1109\/TDSC.2022.3168285","article-title":"Msdroid: identifying malicious snippets for android malware detection","volume":"20","author":"He","year":"2023","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"10.1016\/j.jisa.2026.104385_bib0004","unstructured":"Gray J., Sgandurra D., Cavallaro L.. Identifying authorship style in malicious binaries: Techniques, challenges & datasets. arXiv preprint; 2021. arXiv: 2101.06124; https:\/\/arxiv.org\/abs\/2101.06124."},{"issue":"2","key":"10.1016\/j.jisa.2026.104385_bib0005","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1109\/TBDATA.2018.2790439","article-title":"A large-scale study of android malware development phenomenon on public malware submission and scanning platform","volume":"7","author":"Huang","year":"2021","journal-title":"IEEE Trans Big Data"},{"key":"10.1016\/j.jisa.2026.104385_bib0006","series-title":"Proceedings of the 36th annual computer security applications conference","first-page":"1","article-title":"The tangled genealogy of IoT malware","author":"Cozzi","year":"2020"},{"issue":"1","key":"10.1016\/j.jisa.2026.104385_bib0007","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1109\/TNNLS.2020.2978386","article-title":"A comprehensive survey on graph neural networks","volume":"32","author":"Wu","year":"2020","journal-title":"IEEE Trans Neural Netw Learn Syst"},{"key":"10.1016\/j.jisa.2026.104385_bib0008","series-title":"Proceedings of the 24th ACM SIGKDD international conference on knowledge discovery & data mining","first-page":"1666","article-title":"Graph classification using structural attention","author":"Lee","year":"2018"},{"key":"10.1016\/j.jisa.2026.104385_bib0009","unstructured":"Brody S., Alon U., Yahav E.. How attentive are graph attention networks?2021; https:\/\/arxiv.org\/abs\/2105.14491."},{"key":"10.1016\/j.jisa.2026.104385_bib0010","series-title":"Proceedings of the 11th ACM on asia conference on computer and communications security","first-page":"365","article-title":"Mystique: evolving android malware for auditing anti-malware tools","author":"Meng","year":"2016"},{"key":"10.1016\/j.jisa.2026.104385_bib0011","series-title":"Proceedings of the international symposium on research in attacks, intrusions, and defenses","first-page":"192","article-title":"Android malware clustering through malicious payload mining","author":"Li","year":"2017"},{"key":"10.1016\/j.jisa.2026.104385_bib0012","series-title":"Proceedings of reconciling data analytics, automation, privacy, and security: a big data challenge (RDAAPS)","article-title":"Entroplyzer: android malware classification and characterization using entropy analysis of dynamic characteristics","author":"Keyes","year":"2021"},{"key":"10.1016\/j.jisa.2026.104385_bib0013","series-title":"Proceedings of the 10th international conference on communication and network security (ICCNS2020)","first-page":"70","article-title":"Didroid: android malware classification and characterization using deep image learning","author":"Rahali","year":"2020"},{"key":"10.1016\/j.jisa.2026.104385_bib0014","unstructured":"Google. Google play store. 2024. Accessed: 2024; https:\/\/play.google.com\/."},{"key":"10.1016\/j.jisa.2026.104385_bib0015","unstructured":"Apkpure. Apkpure. 2024. Accessed: 2024; https:\/\/apkpure.com\/."},{"key":"10.1016\/j.jisa.2026.104385_bib0016","unstructured":"Ma Z., Ge H., Wang Z., Liu Y., Liu X.. Droidetec: android malware detection and malicious code localization through deep learning. arXiv preprint; 2020. arXiv: 2002.03594; https:\/\/arxiv.org\/abs\/2002.03594."},{"key":"10.1016\/j.jisa.2026.104385_bib0017","doi-asserted-by":"crossref","first-page":"1222","DOI":"10.1007\/s10664-017-9539-8","article-title":"A multi-view context-aware approach to android malware detection and malicious code localization","volume":"23","author":"Narayanan","year":"2018","journal-title":"Empirical Software Eng"},{"issue":"10","key":"10.1016\/j.jisa.2026.104385_bib0018","doi-asserted-by":"crossref","first-page":"4691","DOI":"10.1109\/TSE.2023.3310874","article-title":"DexBERT: effective, task-agnostic and fine-grained representation learning of android bytecode","volume":"49","author":"Sun","year":"2023","journal-title":"IEEE Trans Software Eng"},{"key":"10.1016\/j.jisa.2026.104385_bib0019","series-title":"2021 4th international conference on machine learning and machine intelligence","first-page":"50","article-title":"An android malware detection and malicious code location method based on graph neural network","author":"Wu","year":"2021"},{"key":"10.1016\/j.jisa.2026.104385_bib0020","doi-asserted-by":"crossref","first-page":"21235","DOI":"10.1109\/ACCESS.2019.2896003","article-title":"A combination method for android malware detection based on control flow graphs and machine learning algorithms","volume":"7","author":"Ma","year":"2019","journal-title":"IEEE Access"},{"key":"10.1016\/j.jisa.2026.104385_bib0021","doi-asserted-by":"crossref","first-page":"1027","DOI":"10.1007\/s00500-019-03940-5","article-title":"Deep learning for effective android malware detection using API call graph embeddings","volume":"24","author":"Pekta\u015f","year":"2020","journal-title":"Soft Comput"},{"key":"10.1016\/j.jisa.2026.104385_bib0022","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2021.102264","article-title":"Gdroid: android malware detection and classification with graph convolutional network","volume":"106","author":"Gao","year":"2021","journal-title":"Comput Secur"},{"key":"10.1016\/j.jisa.2026.104385_bib0023","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2023.103651","article-title":"A novel android malware detection method with API semantics extraction","volume":"137","author":"Yang","year":"2024","journal-title":"Comput Secur"},{"issue":"3","key":"10.1016\/j.jisa.2026.104385_bib0024","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3442588","article-title":"Intdroid: android malware detection based on API intimacy analysis","volume":"30","author":"Zou","year":"2021","journal-title":"ACM Trans Software Eng Methodol (TOSEM)"},{"key":"10.1016\/j.jisa.2026.104385_bib0025","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2022.102872","article-title":"DMalNet: dynamic malware analysis based on api feature engineering and graph learning","volume":"122","author":"Li","year":"2022","journal-title":"Comput Secur"},{"key":"10.1016\/j.jisa.2026.104385_bib0026","series-title":"Proceedings of the 25th international symposium on research in attacks, intrusions and defenses","first-page":"495","article-title":"Encrypted malware traffic detection via graph-based network analysis","author":"Fu","year":"2022"},{"key":"10.1016\/j.jisa.2026.104385_bib0027","article-title":"Enhancing android malware detection explainability through function call graph APIs","volume":"80","author":"Soi","year":"2024","journal-title":"J Inform Secur Appl"},{"key":"10.1016\/j.jisa.2026.104385_bib0028","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.103846","article-title":"Ghgdroid: global heterogeneous graph-based android malware detection","volume":"141","author":"Shen","year":"2024","journal-title":"Comput Secur"},{"key":"10.1016\/j.jisa.2026.104385_bib0029","doi-asserted-by":"crossref","DOI":"10.1016\/j.eswa.2023.121125","article-title":"SeGDroid: an android malware detection method based on sensitive function call graph learning","volume":"235","author":"Liu","year":"2024","journal-title":"Expert Syst Appl"},{"key":"10.1016\/j.jisa.2026.104385_bib0030","series-title":"2017\u202fIEEE\/ACM 4th international conference on mobile software engineering and systems (MOBILESoft)","first-page":"170","article-title":"Automatically locating malicious packages in piggybacked android apps","author":"Li","year":"2017"},{"key":"10.1016\/j.jisa.2026.104385_bib0031","doi-asserted-by":"crossref","first-page":"1108","DOI":"10.1007\/s11390-017-1786-z","article-title":"On locating malicious code in piggybacked android apps","volume":"32","author":"Li","year":"2017","journal-title":"J Comput Sci Technol"},{"key":"10.1016\/j.jisa.2026.104385_bib0032","series-title":"10th international symposium on engineering secure software and systems (ESSoS), Paris, France","first-page":"108","article-title":"Idea: automatic localization of malicious behaviors in android malware with hidden markov models","author":"Salem","year":"2018"},{"key":"10.1016\/j.jisa.2026.104385_bib0033","series-title":"Proceedings of the 32nd USENIX conference on security symposium","isbn-type":"print","article-title":"VulChecker: graph-based vulnerability localization in source code","author":"Mirsky","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9781939133373"},{"key":"10.1016\/j.jisa.2026.104385_bib0034","series-title":"2024\u202fIEEE\/ACM 46th international conference on software engineering (ICSE)","first-page":"1911","article-title":"Coca: improving and explaining graph neural network-based vulnerability detection systems","author":"Cao","year":"2024"},{"key":"10.1016\/j.jisa.2026.104385_bib0035","doi-asserted-by":"crossref","DOI":"10.1016\/j.scico.2024.103156","article-title":"iGnnVD: a novel software vulnerability detection model based on integrated graph neural networks","volume":"238","author":"Chen","year":"2024","journal-title":"Sci Comput Program"},{"key":"10.1016\/j.jisa.2026.104385_bib0036","series-title":"2016 International joint conference on neural networks (IJCNN)","first-page":"4701","article-title":"Contextual weisfeiler-lehman graph kernel for malware detection","author":"Narayanan","year":"2016"},{"key":"10.1016\/j.jisa.2026.104385_bib0037","first-page":"2361","article-title":"Multiple kernel learning and the SMO algorithm","volume":"23","author":"Sun","year":"2010","journal-title":"Adv Neural Inf Process Syst"},{"key":"10.1016\/j.jisa.2026.104385_bib0038","series-title":"25th USENIX security symposium, August 10-12, 2016, Austin, TX","first-page":"1101","article-title":"On demystifying the android application framework: re-visiting android permission specification analysis","author":"Backes","year":"2016"},{"key":"10.1016\/j.jisa.2026.104385_bib0039","series-title":"ACM SIGSAC Conference on computer and communications security","first-page":"1151","article-title":"Precise android API protection mapping derivation and reasoning","author":"Aafer","year":"2018"},{"key":"10.1016\/j.jisa.2026.104385_bib0040","unstructured":"Rozemberczki B.. Gam. https:\/\/github.com\/benedekrozemberczki\/GAM; 2022."},{"key":"10.1016\/j.jisa.2026.104385_bib0041","unstructured":"VirusTotal. Virustotal. https:\/\/www.virustotal.com\/; 2024."},{"key":"10.1016\/j.jisa.2026.104385_bib0042","series-title":"2012\u202fIEEE Symposium on security and privacy","first-page":"95","article-title":"Dissecting android malware: characterization and evolution","author":"Zhou","year":"2012"},{"key":"10.1016\/j.jisa.2026.104385_bib0043","series-title":"Proceedings of the 19th international symposium on research in attacks, intrusions and defenses (RAID)","first-page":"230","article-title":"AVClass: a tool for massive malware labeling","author":"Sebasti\u00e1n","year":"2016"},{"key":"10.1016\/j.jisa.2026.104385_bib0044","series-title":"Proceedings of the 39th annual computer security applications conference (ACSAC)","first-page":"1","article-title":"Euphony: harmonizing malware labels from multiple anti-virus engines","author":"Shen","year":"2023"},{"key":"10.1016\/j.jisa.2026.104385_bib0045","unstructured":"Koodous. Koodous. https:\/\/www.koodous.com\/; 2024."},{"key":"10.1016\/j.jisa.2026.104385_bib0046","series-title":"Proceedings of the 13th international conference on mining software repositories","isbn-type":"print","doi-asserted-by":"crossref","first-page":"468","DOI":"10.1145\/2901739.2903508","article-title":"Androzoo: collecting millions of android apps for the research community","author":"Allix","year":"2016","ISBN":"https:\/\/id.crossref.org\/isbn\/9781450341868"},{"issue":"8","key":"10.1016\/j.jisa.2026.104385_bib0047","first-page":"7693","article-title":"Adversarial attack and defense on graph data: a survey","volume":"35","author":"Sun","year":"2022","journal-title":"IEEE Trans Knowl Data Eng"}],"container-title":["Journal of Information Security and Applications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S2214212626000153?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S2214212626000153?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T03:44:11Z","timestamp":1776915851000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S2214212626000153"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5]]},"references-count":47,"alternative-id":["S2214212626000153"],"URL":"https:\/\/doi.org\/10.1016\/j.jisa.2026.104385","relation":{},"ISSN":["2214-2126"],"issn-type":[{"value":"2214-2126","type":"print"}],"subject":[],"published":{"date-parts":[[2026,5]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Explainable android malware detection and malicious code localization using graph attention","name":"articletitle","label":"Article Title"},{"value":"Journal of Information Security and Applications","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.jisa.2026.104385","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Elsevier Ltd. All rights are reserved, including those for text and data mining, AI training, and similar technologies.","name":"copyright","label":"Copyright"}],"article-number":"104385"}}