GAMBIT: A Generative AI-Powered Intelligent Analysis Platform for Android Malware

GAMBIT is an AI-driven Android malware analysis platform developed by theTyai and released on GitHub in June 2026. It adopts a multi-layered architecture to convert APK files into readable intelligence reports, helping analysts quickly identify threats, attribute attack campaigns, and formulate response strategies. Its core goal is to address the pain points of traditional analysis methods—low efficiency and heavy reliance on professional skills—and provide bank fraud teams with the ability to quickly interpret black-box APKs.

In the mobile security field, Android malware analysis faces two major challenges:

1. Traditional static analysis and dynamic sandbox methods are inefficient when dealing with massive samples;
2. They require highly professional reverse engineering skills, making it difficult for bank fraud teams to quickly determine the threat level and attack intent of an APK.

GAMBIT (Generative AI Malware Behavioral Intelligence Tracker) emerged to address these issues, with the design concept of converting obscure binary APKs into human-readable reports that answer: what the malware does, who wrote it, how it targets bank customers, and countermeasures.

GAMBIT adopts a six-layer architecture design, with core functions of each layer as follows:

1. Ingestion and Preprocessing

Monitor APK uploads, compute hash values (SHA-256/MD5/SHA1) and fuzzy hashes (ssdeep/TLSH), extract metadata, perform pre-checks via VirusTotal, and build case objects. TLSH fuzzy hashing can identify near-identical samples (similarity ≥85% indicates possible association with the same threat actor).

2. Structural Classification

Convert APKs into 512×512 grayscale images, use a fine-tuned ResNet-50 CNN to classify known families; after unpacking DEX files, compute Smali SimHash and store in a Neo4j graph database to associate variants (similarity ≥85%).

3. GenAI Reverse Engineering

Unpack and decompile using apktool/jadx/Androguard, analyze CFG via a three-stage LLM prompt chain (code summarization → intent classification → narrative generation), combined with a bank permission combination classification method (e.g., READ_SMS + INTERNET marks OTP theft).

4. Deep Analysis

Static (manifest/API calls/string extraction) and dynamic (emulator monitoring of network/files/permissions) analysis run in parallel, merging feature vectors.

5. Behavioral Attribution and RAG Enhancement

Attribute threat actors via semantic matching of historical data in a vector database, and map to the MITRE ATT&CK framework.

6. Risk Assessment and Report Generation

Compute risk scores using XGBoost/LightGBM, generate reports containing executive summaries, MITRE mappings, IoCs, etc.

GAMBIT's core innovations include:

1. Fuzzy Hashing + Graph Database: Combining TLSH and SimHash to accurately identify family and campaign associations of repackaged/modified samples;
2. Three-Stage LLM Prompt Chain: Decomposing reverse engineering tasks to improve the accuracy and interpretability of generated content;
3. Permission Combination Threat Modeling: Establishing permission combination → threat signal mappings for banking malware (e.g., ACCESSIBILITY_SERVICE + SYSTEM_ALERT_WINDOW marks UI overlay attacks);
4. End-to-End Interpretability: Each analysis step has a clear reasoning chain, allowing analysts to trace the source of conclusions.

GAMBIT is suitable for the following scenarios:

• Bank Fraud Investigation: Quickly analyze suspicious APKs to identify malware targeting bank customers;
• Threat Intelligence Production: Automatically generate standardized reports to support SOC decision-making;
• Malware Research: Multi-layer analysis capabilities help understand new types of malware;
• Incident Response: Quickly assess threat severity and impact scope in emergency situations.

GAMBIT is an innovative application of generative AI in the cybersecurity field, integrating traditional reverse engineering with modern ML/LLM technologies to build an end-to-end intelligent analysis platform.

Future enhancement directions:

• Real-time threat intelligence integration;
• More refined behavioral simulation;
• Automated integration with other security tools.