Expert Systems With Applications 218 (2023) 119593

Contents lists available at ScienceDirect

Expert Systems With Applications

journal homepage: www.elsevier.com/locate/eswa

An effective end-to-end android malware detection method✩

Huijuan Zhu a , Huahui Wei a , Liangmin Wang b ,∗, Zhicheng Xu c , Victor S. Sheng d ,∗
a
School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang, 212013, Jiangsu, China
b
School of Cyber Science and Engineering, Southeast University, Nanjing, 211189, Jiangsu, China
c
School of Mathematical Sciences, Jiangsu University, Zhenjiang, 212013, Jiangsu, China
d
Department of Computer Science, Texas Tech University, Lubbock, TX79409, TX, USA

ARTICLE INFO ABSTRACT

Keywords: Android has rapidly become the most popular mobile operating system because of its open source, rich
Android hardware selectivity, and millions of applications (Apps). Meanwhile, the open source of Android makes it
Malware detection the main target of malware. Malware detection methods based on manual features are easily bypassed by
Convolution neural network
confusing technologies and are suffering from low code coverage. Thus, we propose an automated extraction
Image feature
method without any manual expert intervention. Specifically, we characterize the vital parts of the Dalvik
executable (Dex) to an RGB (Red/Green/Blue) image. Furthermore, we propose a novel convolutional neural
network (CNN) variant with diverse receptive fields using max pooling and average pooling simultaneously
(MADRF), named MADRF-CNN, which can capture the dependencies between different parts of the image
(transferred from the Dex file) by capitalizing on multi-scale context information. To evaluate the effectiveness
of the proposed method, we conducted extensive experiments and our experimental results showed that the
Accuracy of our method is 96.9%, which is much better than state-of-the-art solutions.

1. Introduction
With the rapid development of the mobile Internet, smartphones
have become an indispensable part of people’s life. According to
statista’s smartphone operating system shipment market share report
in 2022, Android’s market share increased to 83.8% (Statista, 2021).
The huge market has also promoted the development of Android
malicious software (malware). A special report on Android malware
published by Chianxin Threat Intelligence Center indicated that about
2.3 million new malware were detected on the mobile terminal, and
about 6,301 new mobile phone malware were intercepted every day on
average. Among the malicious acts, malicious fee deductions accounted
for 34.9%. In addition, they also include resource consumption with
24.2%, rogue behavior with 22.8%, privacy theft with 12.3%, decep-
tion and fraud with 4.3% and remote control with 1.5% (QiAnXin,
2021).
Android malware detection has attracted considerable attention in
recent years, and the existing malware detection works can be roughly
divided into two categories: static analysis and dynamic analysis. Static
analysis (Arp, Spreitzenbarth, Hübner, Gascon, & Rieck, 2014; Gao,
Cheng, & Zhang, 2021; Mahindru & Sangal, 2021; Rathore, Sahay,
Nikam, & Sewak, 2021; Wang et al., 2017) rely on the features ex-
tracted from Android package (APK) files without running. In addition
to the classic permissions and API, some studies have found that
Android-related intents, strings and components can also effectively
characterize malware. One of the typical works is Drebin proposed
by Arp et al. (2014). Besides, Mahindru and Sangal (2021) proposed
MLDroid to detect real-world malware by selecting permissions and API
calls as raw features. Gao et al. (2021) converted the malware detection
problem into a node classification task by mapping Apps and APIs into
a large heterogeneous graph. Dynamic detection (Cai, Jiang, Gao, Li, &
Yuan, 2021; D’Angelo, Palmieri, Robustelli, & Castiglione, 2021; Enck
et al., 2014; Haq, Khan, & Akhunzada, 2021; Hasan, Ladani, & Zamani,
2021; Liu et al., 2015; Millar, McLaughlin, del Rincon, & Miller, 2021;
Sihag, Vardhan, Singh, Choudhary, & Son, 2021) refers to monitoring
the runtime behaviors of an App. For instance, Surendran, Thomas, and
Emmanuel (2020) proposed a graph signal-based malware detection
method GSDroid, which captures the runtime system call dependencies
as raw features. Enck et al. (2014) proposed a dynamic stain analysis
tool Taintdroid to detect malware by monitoring sensitive information
flow. Liu et al. (2015) used API hooks to obtain the software runtime

✩ This study was funded by the National Key R&D Program of China (2020YFB1005500), the Leading-edge Technology Program of Jiangsu Natural Science
Foundation (BK20202001) and the National Natural Science Foundation of China (62272204).
∗ Corresponding authors.
E-mail addresses: [email protected] (H. Zhu), [email protected] (H. Wei), [email protected] (L. Wang), [email protected]
(Z. Xu), [email protected] (V.S. Sheng).

https://doi.org/10.1016/j.eswa.2023.119593
Received 27 September 2022; Received in revised form 17 January 2023; Accepted 19 January 2023
Available online 28 January 2023
0957-4174/© 2023 Elsevier Ltd. All rights reserved.
H. Zhu et al.
information to detect malware. They applied a real-time system to
monitor potential privacy data abuse and system call behavior and so
on.
These methods have achieved excellent performance. However,
static methods are difficult to deal with code confusion technologies,
and dynamic methods are suffering from time-consuming. Another
interesting research branch of malware detection, namely, directly
converting a Dex file to an RGB (Red/Green/Blue) image, has achieved
unexpected success (Fang, Gao, Jing, & Zhang, 2020; Hu et al., 2014;
Marastoni, Continella, Quarta, Zanero, & Dalla Preda, 2017; Meng
et al., 2016; Wang, Zhou, Lu, & Zhang, 2019). The executable codes of
Android Apps are stored in the Dex files in hexadecimal. Correspond-
ingly, the color in the computer can also be expressed in hexadecimal.
Compared with traditional features (such as API, permissions and com-
ponents), image features only require simple conversion processing,
which completely gets rid of manual intervention. Meanwhile, they are
more effective than traditional features in dealing with code confusion
and cover almost all the codes of an App.
The existing image-based malware detection methods mainly con-
vert the whole Dex or manifest file into an image and feed the image
into the neural network. However, after in-depth analysis, we find that
not all parts of these files make a positive contribution to malware
detection. Moreover, these efforts often ignore the relationship between
different sections of the Dex file and different parts of the corresponding
image converted, Therefore we propose a novel Android malware
detection framework, named MADRF-CNN, by converting the cropped
compact Dex files into an image. The main contributions of this article
are as follows:
• We propose an image-based end-to-end Android malware de-
tection method without any manual expert intervention which
improves the anti-confusion ability. Moreover, the framework
includes a novel method MADRF-CNN to mine the association
relationship between different parts of the Dex file.
• We propose a novel preprocessing method for Dex files, which
can not only reduce the resource consumption of network training
but also effectively improve detection performance by eliminating
unimportant redundant sections.
• We collected the latest Apps from Google Play Store and Virus-
share and so on to build a dataset to effectively characterize the
current situation of malware. We evaluated the effectiveness of
the proposed method in various aspects and compared it with
similar state-of-the-art solutions.
The rest of this paper is arranged as follows. The second section
discusses related work. The third section illustrates the overall archi-
tecture of MADRF-CNN. The fourth section shows and discusses our
experimental results. The fifth section summarizes our work and points
out future work.
2. Related works
In recent years, machine learning technologies based on manual
features (e.g., permissions, APIs, components, intents) are widely used
in malware detection (Calleja, Martín, Menéndez, Tapiador, & Clark,
2018). As the commonest used features, permissions play an important
role in malware detection (Li & Li, 2020; Wu et al., 2021; Zhu, Wang,
Zhong, Li, & Sheng, 2022). For instance, Zhu et al. (2022) proposed a
malware detection framework based on hybrid deep learning by using
permissions and sensitive APIs to represent an App. Li and Li (2020)
extracted multiple information such as permissions, components, sys-
tem calls and IP addresses of Apps to construct feature vectors and
improved the robustness of the proposed malware detection model
based on integrated deep learning from the perspective of adversarial
training. Wu et al. (2021) characterized malware with API calls and
permissions and introduced an attention mechanism based on Multi-
layer Perceptron (MLP) to detect malware and interpret it. Huang, Lu,
2
Expert Systems With Applications 218 (2023) 119593
Ping, Sun, and Ye (2020) extracted the API call sequences by running
the App in virtual environments and processed the extracted features
for subsequent modules, such as Temporal Convolution Network (TCN)
and attention layer. To exploit the benefits of various types of fea-
ture and deep learning methods, Gibert, Mateu, and Planes (2020)
proposed a multimodal deep learning based method HYDRA, which
uses CNN and a fully connected layer to learn meaningful features
from multiple types of features (e.g., API-based features, Byte-based
features and Opcode-based features) and the learned feature are input
into softmax after being integrated by the fully connected layer. Alazab,
Alazab, Shalaginov, Mesleh, and Awajan (2020) proposed an effective
machine learning based malware detection method employing request
permissions and API calls. It is worth mentioning that they divided
the APIs into three groups, namely ambiguous, risky and disruptive.
Their experiments showed that the combination of destructive and
risk API calls plays an important role in malware detection. Kabakus
(2022) proposed an end-to-end Android malware detection framework
DroidMalwareDetector based on CNN, which uses intents and API
calls alongside the permissions to perform comprehensive malware
analysis. Lakshmanarao and Shashi (2022) extracted opcode sequences
from Android APK files. The extracted raw features are preprocessed
and input to Long Short-term Memory (LSTM) for malware detection.
A series of malware detection methods based on dynamic feature
analysis have also been proposed Liu, Li, Zhao, Su, and Liu (2021),
Wang et al. (2020), Zhang, Qi, and Wang (2020). For instance, Zhang
et al. (2020) proposed a stacked deep network architecture to automat-
ically learn the correlation between API features, which combined with
the advantages of CNN and Bi-LSTM. They used the Cuckoo sandbox to
run the samples and simulate the user’s operation, and then extracted
the API call sequence to construct the feature vector. Xue, Zhou, Chen,
Luo, and Gu (2017) proposed an on-device dynamic analysis tool by
tracking information flow and monitoring the device at the system
level and instruction level. Wang et al. (2020) monitored kernel-level
source data to capture the dynamic behavior of each target process, and
then built an anomaly detection model based on a neural embedded
network. Alzaylaee, Yerima, and Sezer (2020) proposed a deep learning
based malware detection system DL-Droid, which utilizes dynamic
analysis (e.g., API calls, Actions/Events) combining a stateful input
generation method. Martín, Rodríguez-Fernández, and Camacho (2018)
proposed an Android malware families classification method CANDY-
MAN by exploiting dynamic traces and Markov chains. Zhou (2021)
performed taint analysis and dynamic function tracing to identify pri-
vate information leaks. Cai, Meng, Ryder, and Yao (2018) presented a
novel dynamic malware detection method DroidCat based on Random
Forest (RF) by profiling inter-component communication (ICC) intents
and method calls.
The existing machine learning-based malware detection works usu-
ally extract limited features from Dex (manifest) files or part of App
runtime behaviors. These features are usually one-sided and not enough
to fully characterize malware. The recent great success of CNN in
image recognition provides a new direction. Bakour and Ünver (2021)
proposed DeepVisDroid, which converts manifest files and Dex files
into grayscale images and feeds them to CNN to detect malware. Simi-
larly, Ghouti and Imam (2020) firstly converted the executable code of
an App into a grayscale image, and then Support Vector Machine (SVM)
is adopted for classification. Xiao and Yang (2019) proposed a CNN-
based Android malware detection method by converting the whole
Dalvik bytecode into an RGB image. Bourebaa and Benmohammed
(2020) transformed Dex files into grayscale images and then used CNN
for recognition. Yadav, Menon, Ravi, Vishvanathan, and Pham (2022)
proposed an image-based Android malware detection method without
relying on manual analysis. It mainly explores the performance of the
pre-trained EfficientNet-B4 model in malware detection by inputting
RGB images converted from Dex files. Sun, Daoudi, Allix, and Bissyandé
(2021) exploited the CNN model to detect malware by feeding gray-
scale images converted from binary code and metadata/configuration
H. Zhu et al.
Fig. 1. The proposed end-to-end android malware detection framework.
files of Android APKs. Vasan et al. (2020) proposed an image-based
malware detection method IMCFN using fine-tuned CNN. Specifically, it
converts the raw malware binaries into color images and then the fine-
tuned CNN architecture is employed to detect and identify malware
families. Zhang, Luktarhan, Ding, and Lu (2021) proposed an effective
Android malware detection method based on TCN by inputting byte-
code gray images. The gray images are converted from the combination
of AndroidManifest.xml and the data section of classes.dex.
Unfortunately, the entire Dex files or most of them are converted
to images and input to CNN, which is excessively time-consuming
and inefficient. More importantly, most parts of Dex files, such as
data and header, are difficult to provide cost-effective information for
malware analysis. Therefore, we propose a cutting method for Dex files,
which can reduce the overhead of subsequent deep network training
and improve detection performance by removing redundant sections.
Specifically, these compact and high-value RGB images achieved by
our cutting method are input to the proposed MADRF-CNN network to
learn more efficient features. Finally, an efficient end-to-end malware
detection method is proposed in this work.
3. The proposed end-to-end malware detection framework
We propose an end-to-end malware detection framework without
relying on manual features, named as MADRF-CNN, to efficiently detect
Android malware. As shown in Fig. 1, the proposed end-to-end malware
detection framework can be divided into three main phases: Dex file
cutting, image features generation and classification. Dex files can be
obtained by decompressing the Android APK files. When the necessary
sections of Dex files are filtered, one pixel can be generated from every
three-hexadecimal number of the sections of Dex files. Then, these
pixels can form an image. Classification is conducted by our proposed
network MADRF-CNN. The source code to extract features is available
at https://github.com/MADRF-CNN/extractor.
3.1. The cut method of the dex file
An APK file is essentially a zip file which contains the entire project
of this App, including resource files, signature, Dex files, manifest files
and so on. The Dex files contain all operation instructions and runtime
3
Expert Systems With Applications 218 (2023) 119593
Algorithm 1: reprocess Dex files
Data: a Dex file
Result: a txt file with hexadecimal characters
Array of 𝐷𝑒𝑥 ← read current Dex file;
ℎ𝑒𝑎𝑑𝑒𝑟 ← 𝐷𝑒𝑥[0, 112];
// six sections with the same operation, so take
one as an example
for 𝑛𝑎𝑚𝑒 ← 𝑠𝑡𝑟𝑖𝑛𝑔, 𝑡𝑦𝑝𝑒, 𝑝𝑟𝑜𝑡𝑜, 𝑓 𝑖𝑒𝑙𝑑, 𝑚𝑒𝑡ℎ𝑜𝑑, 𝑐𝑙𝑎𝑠𝑠 do
for 𝑠𝑡𝑎𝑟𝑡_𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛 ← 56 to 96 do
// Reverse is a function that reverses the
order of input array
// hexToDec is a function that translates hex
number to dec number
𝑛𝑎𝑚𝑒 𝑠𝑖𝑧𝑒 ←
ℎ𝑒𝑥𝑇 𝑜𝐷𝑒𝑐(Reverse(ℎ𝑒𝑎𝑑𝑒𝑟[start_position,start_position+4]));
𝑛𝑎𝑚𝑒 𝑜𝑓 𝑓 𝑠𝑒𝑡 ←
ℎ𝑒𝑥𝑇 𝑜𝐷𝑒𝑐(Reverse(ℎ𝑒𝑎𝑑𝑒𝑟[start_position+4,start_position+8]));
𝑠𝑡𝑎𝑟𝑡_𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛 ←𝑠𝑡𝑎𝑟𝑡_𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛 + 8;
𝑤𝑟𝑖𝑡𝑒(Dex[𝑛𝑎𝑚𝑒 𝑜𝑓 𝑓 𝑠𝑒𝑡,𝑛𝑎𝑚𝑒 𝑜𝑓 𝑓 𝑠𝑒𝑡 + 𝑛𝑎𝑚𝑒 𝑠𝑖𝑧𝑒]);
// function 𝑤𝑟𝑖𝑡𝑒 put the needed hex characters
into a new txt file
end
end
data of an Android App, which can provide a panorama of the App. To
obtain the Dex file, we first decompress the APK file of each App, and
then retain the files ending with .dex by matching the suffix of files. As
shown in Fig. 2, a Dex file can be divided into three portions: header,
index and data. The header portion stores the basic information such
as sizes and offsets of other sections. The index portion consists of the
following parts: the string index, the type index, the proto index, the
field index, and the method index. The data portion contains the data
section and class definitions and so on. Therefore, besides the general
direction, a Dex file can be divided into eight sections according to the
offset and size of each section recorded in the header portion. But not
H. Zhu et al.
Fig. 2. The structure of a Dex file.
all of them can provide cost-effective information for malware analysis.
Then, we abandon the header and data portions. This is because the
header portion is used to locate every single section of the Dex file and
identify some basic information of one Dex file, which is usually the
same in essentials. The reasons that we abandon the data portion are
as follows.
• A small amount of malicious behaviors is enough to make an App
be identified as malware. However, the major parts of the data
portion in malicious Apps are legitimate, and the data portion
usually accounts for 80% of Dex files. Intuitively, the data portion
makes an App developed in a benign direction.
• Images with the data portion as a component bring a heavy
load to the deep learning-based method. Specifically, it is not
only extremely time-consuming but also sharply increases the
difficulty to learn efficient features.
• Adjusting the size of the image to fit the input of the deep
network is a conventional operation. However, information loss is
inevitable during the process of resizing. Therefore, images with
a large amount of redundant information will increase the risk of
crucial information loss.
As shown in Algorithm 1, we extract six parts (i.e., String_ids,
Type_ids, Proto_ids, Field_ids, Method_ids and Class_ids) of the Dex file
according to the offset and size information provided by the header,
and then write them into a new file. Hence, the final retained parts
should be compact and efficient. It is worth mentioning that the Dex file
adopts Little-Endian, so when translating it into a well-known decimal
number, it is necessary to reverse the sequence to obtain the correct
value.
3.2. Image features generation process
One APK file usually contains multiple Dex files with the same
structures when an APK stores more than 65,536 methods. Therefore,
as shown in Fig. 3, we integrate multiple Dex files by following the
method in Fang et al. (2020). In addition, similar to the Dex file,
the manifest file is another important file in APK, which contains
significant configuration information of an App. Because the size of
the manifest file is small and it is also a hexadecimal file before
decompilation, the manifest file can also be used to generate an image.
The RGB color contains three components, which are known as
red, green and blue. The value of each color component ranges from
0 to 255, which is the same as the value range represented by two
hexadecimal characters. As a result, this transformation process takes
less effort than extracting text features from manifest or other files.
Compared with grayscale images (single channel, which can represent
256 colors), RGB images (three channels, which can represent 224
4
Expert Systems With Applications 218 (2023) 119593
Algorithm 2: image converting
Data: a txt file with hex characters
Result: an image of APK file
// ℎ𝑒𝑥𝑇 𝑜𝐵𝑦𝑡𝑒𝐴𝑟𝑟𝑎𝑦 is a function that convert hex
characters to bytes
𝑏𝑦𝑡𝑒 𝐴𝑟𝑟𝑎𝑦 ← ℎ𝑒𝑥𝑇 𝑜𝐵𝑦𝑡𝑒𝐴𝑟𝑟𝑎𝑦(readFileContent(𝑡𝑥𝑡 𝑓 𝑖𝑙𝑒));
Input: 𝑏𝑦𝑡𝑒 𝐴𝑟𝑟𝑎𝑦, 𝑤𝑖𝑑𝑡ℎ, ℎ𝑒𝑖𝑔ℎ𝑡
Output: 𝑝𝑖𝑥𝑒𝑙 𝐴𝑟𝑟𝑎𝑦
for 𝑖 ← 0 to ℎ𝑒𝑖𝑔ℎ𝑡 do
for 𝑗 ← 0 to 𝑤𝑖𝑑𝑡ℎ do
𝑖𝑑𝑥 ← 𝑤𝑖𝑑𝑡ℎ × 𝑖 + 𝑗;
𝑟𝑔𝑏𝐼𝑑𝑥 ← 𝑖𝑑𝑥 × 3;
𝑟𝑒𝑑 ← 𝑏𝑦𝑡𝑒 𝐴𝑟𝑟𝑎𝑦[rgbIdx];
𝑔𝑟𝑒𝑒𝑛 ← 𝑏𝑦𝑡𝑒 𝐴𝑟𝑟𝑎𝑦[rgbIdx+1];
𝑏𝑙𝑢𝑒 ← 𝑏𝑦𝑡𝑒 𝐴𝑟𝑟𝑎𝑦[rgbIdx+2];
𝑐𝑜𝑙𝑜𝑟 ← ((𝑏𝑙𝑢𝑒&0x000000FF),
(𝑔𝑟𝑒𝑒𝑛&0x0000FF00)>>8,
(𝑟𝑒𝑑&0x00FF0000)>>16);
𝑝𝑖𝑥𝑒𝑙 𝐴𝑟𝑟𝑎𝑦[idx] ← 𝑐𝑜𝑙𝑜𝑟;
end
end
Input: 𝑝𝑖𝑥𝑒𝑙 𝐴𝑟𝑟𝑎𝑦
Output: 𝑖𝑚𝑎𝑔𝑒
// set the pixels of the image and then write it to a
file with ‘jpg’ as its suffix
// 𝑠𝑒𝑡𝑅𝐺𝐵 and 𝑤𝑟𝑖𝑡𝑒 are functions of class
BufferedImage
𝑖𝑚𝑎𝑔𝑒 ← BufferedImage;
𝑠𝑒𝑡𝑅𝐺𝐵(pixel Array);
𝑤𝑟𝑖𝑡𝑒(image);
colors) can store more information. Compared with other text features,
image features show more connection between functions inside the
App, which means more malicious combinations of functions will be
learned when one image is fed into a deep network. As shown in
Algorithm 2, the filtered Dex file is firstly converted into a file com-
posed of hexadecimal numbers. After reading the hexadecimal file,
we specify the required image height and width, and use the ‘‘idx’’
variable to identify the starting position of six hexadecimal characters.
Next, the RGB file is constructed according to the following conversion
rules, that is, every six hexadecimal characters form a pixel containing
three channels, which are red, green and blue in turn. The value of
three channels is taken out through ‘‘and’’ and ‘‘shift’’ operation and
calculated to decimal numbers, which will eventually form a pixel
matrix (for example: 0x868816 =R:134, G:136, B:22). Further, the
generated pixel matrix is written into the jpg file to complete the
conversion process.
3.3. The classification based on MADRF-CNN algorithm
Due to its strong data fitting ability, as a feature extractor or
classifier, CNN performs well in various fields (Oquab, Bottou, Laptev,
& Sivic, 2014). However, there are some recent deep learning based
methods ignore the global context information as well as the receptive
fields of pixels and do not consider the reuse of pixel features during
the feature extraction stage (Peng, Yu, Peng, & Lu, 2021; Wang, Guo,
& Wang, 2021). Therefore, in this work, we propose a novel variant
of CNN with diverse receptive fields using max pooling and average
pooling simultaneously, known as MADRF-CNN. Specifically, we first
stack two CNN blocks as feature extractor and attaches a MADRF block.
The classifier is implemented by three Fully Connected (FC) layers and
the Softmax function. In addition, we name the network structure that
only use one pooling method (i.e., max pooling and average pooling) as
H. Zhu et al.
Fig. 3. Merging multiple Dex files.
Fig. 4. The architectural overview of model.
MaxDRF and AvgDRF for comparison in subsequent experiments. The
architectural overview of the proposed method MADRF-CNN is shown
in Fig. 4.
Before feeding into deep networks, each image is resized to 200 ×
200 and normalized to [0, 1]. The CNN block is generated by the
combination of a convolutional layer with ReLU as its activation and a
max pooling layer. The forward propagation of the convolutional layer
is as follows.
∑ 𝑘ℎ−1
𝑘𝑤−1 ∑ ∑𝑐
𝑥𝑙−1,𝑑
𝑙,𝑚,𝑑
𝑧𝑙,𝑚
𝑢,𝑣 = 𝑓 ( 𝑢×𝑠+𝑖,𝑣×𝑠+𝑗 𝑘𝑖,𝑗 + 𝑏𝑙,𝑚 ) (1)
𝑖=0 𝑗=0 𝑑=0
where 𝑧𝑙,𝑚 represents the 𝑚th feature map of the output of the 𝑙th
layer, and 𝑥𝑙,𝑑 represents the 𝑑th channel of the input of 𝑙th layer after
padding. The channel number of the output is denoted by 𝑐. The width,
height and stride of the convolutional kernel are represented as 𝑘𝑤, 𝑘ℎ
and 𝑠, respectively. Additionally, 𝑘𝑙,𝑚,𝑑 represents the weights of the 𝑑th
kernels of the 𝑚th convolutional filter in 𝑙th layer, and 𝑏𝑙,𝑚 represents
the bias of the filter. Besides, 𝑓 is the activation function and it is ReLu
in this work.
To further capture the dependencies between different parts of a
Dex file (image) by capitalizing on multi-scale context information,
we propose a novel CNN block with MADRF. As shown in Fig. 4, the
input of MADRF is the feature maps achieved by the CNN blocks.
MADRF can freely expand the receptive field to acquire multi-scale
5
Expert Systems With Applications 218 (2023) 119593
context information. To balance the cost and efficiency, we retain three
different receptive fields. In addition, average pooling and max pooling
are employed in MADRF for scale conversion. Then, three convolutional
layers are utilized to process those three scale feature maps. After
parallel pooling operation, the acquired features are spliced as the input
of the fully-connection layer. The procedure is shown as follows.
𝑝𝑟,𝑚
𝑢,𝑣 = 𝑚𝑎𝑥 𝑧𝑚 (2)
0≤𝑖≤𝑤𝑤𝑟 −1,0≤𝑗≤𝑤ℎ𝑟 −1 𝑢×𝑠𝑟 +𝑖,𝑣×𝑠𝑟 +𝑗
𝑝𝑟,𝑚 𝑧𝑚 (3)
𝑢,𝑣 = 𝑎𝑣𝑒𝑟𝑎𝑔𝑒
0≤𝑖≤𝑤𝑤𝑟 −1,0≤𝑗≤𝑤ℎ𝑟 −1
𝑢×𝑠 𝑟 +𝑖,𝑣×𝑠𝑟 +𝑗
𝑎𝑟 = 𝐶𝑜𝑛𝑣(𝑝𝑟 ), 𝑟 ∈ {𝑟1 , 𝑟2 , 𝑟3 } (4)
where 𝑟 represents the scale of the width or height of the output
feature map of a pool compared with the input one, 𝑤𝑤𝑟 , 𝑤ℎ𝑟 , 𝑠𝑟 mean
the window width, window height and stride of the pool, which are
all not fixed but depend on 𝑟, and 𝐶𝑜𝑛𝑣 donates the convolutional
layer. MADRF improves the receptive fields (Luo, Li, Urtasun, & Zemel,
2016) of feature maps greatly. The receptive field of the feature map
generated based on the original scale is only 3 × 3, while 60% scale
reaches 5 × 5 and 20% even reaches 15 × 15. The receptive field
is expanded to capture the long-distance dependence of interaction,
such as between String_ids and Methods_ids in the Dex file. This multi-
scale information is concatenated and input into FC layers to realize
classification. The detailed process is shown below, 𝑊 and 𝑏 are the
H. Zhu et al.
weights and bias of the FC layers, 𝑓 is the ReLU function, and 𝑥
represents the multi-scale features achieved by MADRF.
{ }
𝑥 = 𝑐𝑜𝑛𝑐𝑎𝑡𝑒𝑛𝑎𝑡𝑒 𝑓 𝑙𝑎𝑡𝑡𝑒𝑛(𝑎𝑟𝑝𝑜𝑜𝑙 ), 𝑟 ∈ {𝑟1 , 𝑟2 , 𝑟3 }, 𝑝𝑜𝑜𝑙 ∈ {𝑚𝑎𝑥, 𝑎𝑣𝑒𝑟𝑎𝑔𝑒}
𝐹 𝐶(𝑥) = 𝑓 (𝑥𝑊 + 𝑏)
𝑦̂ = 𝑠𝑜𝑓 𝑡𝑚𝑎𝑥(𝐹 𝐶(𝐹 𝐶(𝐹 𝐶(𝑥))))
where 𝑟1 = 𝑜𝑟𝑖𝑔𝑖𝑛𝑎𝑙, 𝑟2 = 60%, 𝑟3 = 20%. The cross-entropy loss function
is used to calculate the classification loss,
1 ∑
𝑁
̂ 𝑦) = −
𝑙𝑜𝑠𝑠(𝑦, 𝑦 𝑙𝑜𝑔(𝑦̂𝑖 )
𝑁 𝑖=1 𝑖
where 𝑁 represents the number of classes, and 𝑦 is the actual label in
one-hot representation.
4. Experiment
All the experiments have been conducted using an Intel Core i7-
11800H with 8 cores and 16 GB RAM. The k-fold cross-validation
with k=5 has been applied in this work. The source code to reproduce
the results of our work is available at https://github.com/MADRF-
CNN/malware_network.
4.1. Sample set and parameter setting
Given that some existing public datasets usually lag behind the
latest released Apps, the benign Apps of the dataset are collected
from Google Play Store (GooglePlayStore, 2022) and other legitimate
Android markets in the past two years. APKs that have not been
detected by any antivirus tool of VirusTotal (VirusTotal, 2022) are
labeled as benign. Similarly, malicious Apps are downloaded from
VirusShare (VirusShare, 2022). Finally, the dataset consists of 2,507
malicious apps and 1,417 benign ones. It is worth mentioning that the
dataset contains three types of features, i.e., the image features of Dex
files (which are obtained by our cutting method), the image features of
manifest files, the combination features of Dex and manifest files.
We have carried out a series of pre-experiments on the determi-
nation of network hyper-parameters. As we know, an inappropriate
learning rate will lead to a decline in the performance of a deep learn-
ing model, while an appropriate batch size will improve the training
speed and make the gradient decline direction more accurate. So for the
learning rate, we change the learning rate after fixing other parameters,
and its value range is [1e−5, 1e−3]. After that, we adjust the batch size
in the range [16,128]. Considering training efficiency and performance,
after a certain amount of pre-experiment and parameter adjustment, the
training parameters of MADRF-CNN are as follows: the batch size is 64
and the learning rate is 0.001, the number of epochs is set to 5 and the
optimizer is Adam.
In our MADRF-CNN method, we firstly stacked two CNN blocks,
which consist of a convolution layer with ReLU activation and a max
pool layer with a window size of 2. For these two blocks, we set the
kernel size, filter number, stride, and padding of the two convolution
layers are 3 × 3, 32, 1, 1 and 3 × 3, 64, 1, 1, respectively. The shape
of the output feature map is 𝑁 × 50 × 50, where 𝑁 is the number of
the batch size. Then, there is a MADRF block and the output sizes of
its every type of pools are 𝑁 ×50×50, 𝑁 ×30×30 and 𝑁 ×10×10 and every
pool is followed by a convolution layer with parameters 3 × 3, 16, 1,
1. We flatten and concatenate the six output feature maps. Finally, we
stacked three FC layers with structure 128-64-2 as a classifier, and their
activation functions of them are ReLU, ReLU and Softmax, respectively.
Expert Systems With Applications 218 (2023) 119593
4.2. Evaluation index
In this work, we regard malware detection as a binary classification
problem. The evaluation indicators employ the five most common and
representative indicators (e.g., Accuracy, Precision, Recall, F1-Score
(5)
and Matthews Correlation Coefficient (MCC)). It is worth mentioning
that MCC is a relatively appropriate evaluation indicator for unbal-
(6) anced datasets. Because our dataset (2,507 malicious apps and 1,417
benign ones) is unbalanced, we specially introduce the MCC indicator.
The metrics are on account of the true positive (TP), true negative (TN),
(7)
false positive (FP) and false negative (FN) values, where TP represents
the number of malicious Apps correctly identified as malware. TN rep-
resents the number of benign Apps correctly identified as benign Apps.
FP represents the number of benign Apps misclassified as malware. FN
(8) represents the number of malware misclassified as benign Apps.
𝑇𝑃 + 𝑇𝑁
Accuracy = (9)
𝑇𝑃 + 𝐹𝑃 + 𝑇𝑁 + 𝐹𝑁
𝑇𝑃
Precision = (10)
𝑇𝑃 + 𝐹𝑃
𝑇𝑃
Recall = (11)
𝑇𝑃 + 𝐹𝑁
2 × ( Precision × Recall )
𝐹 1-𝑆𝑐𝑜𝑟𝑒 = (12)
Precision + Recall
𝑇𝑃 × 𝑇𝑁 − 𝐹𝑃 × 𝐹𝑁
MCC = √ (13)
(𝑇 𝑃 + 𝐹 𝑃 )(𝑇 𝑃 + 𝐹 𝑁)(𝑇 𝑁 + 𝐹 𝑃 )(𝑇 𝑁 + 𝐹 𝑁)
4.3. Performance evaluation
To evaluate the effectiveness of the proposed method, we con-
ducted six sets of experiments using three types of features (i.e., Dex
images, manifest images and combination images), and the results
are reported in Table 1. The first set of experiments is based on the
image features of Dex files while running traditional CNN, and it
is named as Dex features (CNN) in Table 1. The second and third
sets are based on the manifest images and combination images re-
spectively using traditional CNN, and they are named as Manifest
features (CNN) and combination features (CNN) in Table 1. The first
three sets of experiments are the selected baselines. Correspondingly,
the fourth, fifth and sixth sets of experiments are to run our pro-
posed method MADRF-CNN on these three types of features, which are
named Dex features (MADRF-CNN), Manifest features (MADRF-CNN)
and combination features (MADRF-CNN) respectively in Table 1.
As we know, the manifest file will be loaded first during App
startup, because it contains a lot of important configuration informa-
tion. Numerous manual features are extracted from this file, e.g., per-
missions and components. Given the importance of the manifest file,
some image-based malware detection methods also convert the file
into an image, but as shown in Table 1, it does not perform well in
our experiment. We further investigate whether it can be used as a
supplementary to the Dex image to improve the detection performance.
Therefore, we conduct the third and sixth sets of experiments about
combination features, which are composed of manifest images and Dex
images. We can observe that the performance of combination features
has been significantly improved compared with using the manifest file
alone. For instance, all indicators are more than 90%, except MCC.
Unfortunately, it does not improve the performance achieved by Dex
image features. Therefore, we consider that files such as manifest are
not suitable to be converted into an image for malware detection,
because it contains a lot of redundant information in the structure.
The Dex file is a highly structured and standardized file. There
are internal links between different parts, and the proposed method
MADRF block focuses on mining this kind of association or inter-
action by exploiting on multi-scale context information. In fact, the
process of converting Dex files to images is completed byte by byte
6
H. Zhu et al.
Table 1
MADRF-CNN Performance Evaluation Results (Bold is the best, and italic is the second).
Feature types
Dex features (CNN)
Manifest features (CNN)
Combination features (CNN)
Dex features (MADRF-CNN)
Manifest features (MADRF-CNN)
Combination features (MADRF-CNN)
Table 2
Pooling Performance Evaluation Results using Dex Features (Bold is the best, and italic
is the second).
Pooling types Accuracy Precision Recall F1-Score
Max pooling 96.3% 96.8% 98.3% 95.1%
Average pooling 96.1% 96.2% 98.6% 94.8%
Max&average pooling 96.9% 97.1% 98.9% 95.9%
and part by part. It is very necessary to increase the flow of long-
distance information. This result in Table 1 further proves that our
proposed method MADRF can capture the dependence or interaction
of different parts of the image, which can further improve the feature
learning ability of the model. Table 1 shows that the proposed method
MADRF-CNN feeding the compact Dex image features achieved by our
cutting method perform the best with an average Accuracy of 96.9%,
Precision of 97.1%, Recall of 98.9%, F1-Score of 95.9% and MCC of
92.0%. To further verify the effectiveness of our proposed MADRF-
CNN, we input the compact Dex image features into the native CNN
realized by removing our MADRF block, that is, our first set of baseline
experiments. As shown in Table 1, using the same experimental setup,
compared with the native CNN, our MADRF-CNN achieves Accuracy
by 1, Precision by 0.6, Recall by 0.9, F1-Score by 1.4 and MCC by
2.7 percentage points improvements. In the experiments of the other
two types of features, our proposed method MADRF-CNN has also
brought significant performance improvement. For instance, compared
with that of native CNN, when feeding manifest image features, our
proposed method MADRF-CNN realizes Accuracy by 2.9, Precision by
0.9, Recall by 3.7, F1-Score by 2.8 and MCC by 5.9 percentage points
improvements.
As we know, average pooling (Hu, Shen, & Sun, 2018) has been
widely used to aggregate spatial information. In fact, max pooling can
also gather another important clue to obtain distinctive features (Woo,
Park, Lee, & Kweon, 2018). Thus, we utilize both average pooling and
max pooling simultaneously. We empirically confirm that exploiting
both of them effectively improves the representation power of the
proposed network. Specifically, the first set of experiments only use the
average pooling. The second set only uses the max pooling. The third
set uses both of them, which is the structure proposed by us. All three
sets of experiments are based on the image features of Dex files, which
is also the feature type recommended in this work. The results are
reported in Table 2. The experimental results in Table 2 indicate that
the combination of max and average pooling performs best. Compared
with the model that only uses the max pooling, the model using
the combination pooling achieves Accuracy by 0.6, Precision by 0.3,
Recall by 0.6, F1-Score by 0.8 and MCC by 1.7 percentage points
improvements, respectively. Compared with the model that only uses
the average pooling, the model using the combination pooling achieves
Accuracy by 0.8, Precision by 0.9, Recall by 0.3, F1-Score by 1.1 and
MCC by 2.3 percentage points improvements, respectively. To further
verify the reasonableness of our proposed method, we plot the obtained
accuracy and loss values during the training for both training and test
sets in Fig. 5. Specifically, during the training process, we saved a
model to obtain the accuracy and loss values of the test set after each
epoch. Generally, Table 2 and Fig. 5 show that combination pooling
can improve the detection performance.
Expert Systems With Applications 218 (2023) 119593
Accuracy Precision Recall F1-Score MCC
95.9% 96.5% 98.0% 94.5% 89.3%
78.1% 83.2% 86.1% 73.5% 48.3%
95.1% 96.1% 97.0% 93.6% 87.4%
96.9% 97.1% 98.9% 95.9% 92.0%
81.0% 84.1% 89.8% 76.3% 54.2%
95.5% 96.8% 97.2% 94.1% 88.4%
4.4. Comparison with existing works
To further verify the performance of our proposed method, we study
MCC
similar systems and select four of them for comparison. Two of them are
90.3%
based on grayscale images (Bakour & Ünver, 2021; Sun et al., 2021) and
89.7%
92.0% another two are based on RGB images (Fang et al., 2020; Xiao & Yang,
2019). These comparison schemes have not released their source codes
and datasets. Therefore, we re-implemented their feature extraction
and detection methods and conducted experiments on the datasets we
collected. It is worth noting that, because some parameter settings
in the original research are missing, considering both our hardware
conditions and the performance of the models themself, we set the
parameters as follows: the batch size we adopted is 64, the learning
rate is 0.001 and the number of epochs are 30, 20, 60 and 60 (The
ranking of comparison schemes in Table 3 from top to bottom).
Bakour and Ünver (2021) proposed a hybrid deep learning model
DeepVisDroid to detect Android malware based on grayscale image
features. In this work, the manifest.xml file, resources.arsc file and Dex
file from each APK are converted into grayscale images, and the images
are fed into CNN for learning. The malware detection method proposed
by Fang et al. (2020) converts the Dex file into the RGB image and
plain text respectively. Finally, these image features and text features
will be input into multiple kernel learning for classification. It is worth
mentioning that we only reproduce the part similar to our scheme.
That is, in the feature processing stage, we only convert the Dex file
into a grayscale image or RGB image. Sun et al. (2021) exploited
CNN model to detect malware by feeding gray-scale images converted
from binary code and metadata/configuration files of Android APK
files. Xiao and Yang (2019) propose a detection approach that directly
learns the meaningful features from Dalvik bytecode based on CNN.
Different from our proposed cutting scheme, these four works transform
the entire Dex file into grayscale or RGB image which is extremely
time-consuming. There are also some differences in the methods of
generating images. For example, the method proposed by Fang et al.
(2020) expands a single hexadecimal character to an RGB pixel, and
the size of the generated image exceeds 10MB. The comparison results
based on our reproduction process are shown in Table 3.
From Table 3, we can notice that our proposed MADRF-CNN per-
forms the best, comparing with other existing similar works. In detail,
in terms of Accuracy, Precision, Recall, F1-score and MCC, our method
achieves 1.7, 8.3, 6, 5.3 and 4.3 percentage points improvements than
that of DeepVisDroid. Compared with the method proposed by Sun
et al. (2021), our method realizes Accuracy by 6, Precision by 4.6,
Recall by 4.3, F1-score by 2.4 and MCC by 13.3 percentage points im-
provements, respectively. Compared with the method proposed by Xiao
and Yang (2019), our method achieves Accuracy by 4.2, Precision by
3.8, Recall by 3.4, F1-score by 1.5 and MCC by 7.8 percentage points
improvements, respectively. In addition, our method is superior to the
method proposed by Fang et al. (2020). We believe that this huge gap
is mainly caused by the differences in feature learning. Fang et al.
(2020) extracted the texture features and color features of RGB images
by using the GIST algorithm and Color Moment. It can be seen that
excessive preprocessing of original features sometimes does not bring
better performance improvement.
These four works can classify malware with gratifying performance,
but our method still has certain advantages. The main reason is that,
7
H. Zhu et al. Expert Systems With Applications 218 (2023) 119593

Fig. 5. Loss and accuracy of MADRF-CNN.

Table 3
Comparison results with the existing works using Dex Features (Bold is the best, and italic is the second).
Method Accuracy Precision Recall F1-Score MCC
Fang et al. (2020) 82.8% 75.5% 71.5% 73.1% 60.9%
DeepVisDroid (Bakour & Ünver, 2021) 95.2% 88.8% 92.9% 90.6% 87.7%
Xiao and Yang (2019) 92.7% 93.3% 95.5% 94.4% 84.2%
Sun et al. (2021) 90.9% 92.5% 94.6% 93.5% 78.7%
MADRF-CNN (ours) 96.9% 97.1% 98.9% 95.9% 92.0%

as mentioned before, our method generates RGB images that are not
dominated by the sections commonly appeared in both malware and
benign apps, such as the Dex header and the data section. In addition,
our work not only capitalizes on the excellent feature learning ability
of CNN, but also proposes a novel deep learning block MADRF to
augment the pixel receptive field and enhance the global awareness
of context information. Moreover, by combining two pooling methods
in the MADRF block, more comprehensive and effective features in the
image are learned. Thus, the network performance is further improved.
4.5. Discussion
In this work, an end-to-end malware detection method has been
proposed based on RGB image representation and MADRF-CNN. Three
types of image-based features have been constructed to verify the
effectiveness of MADRF-CNN. We can notice that the image converted
from the manifest file is far less effective than the image converted
from Dex files. Under the same network structure and parameters, the
average Accuracy of the latter can achieve 96.9%, while the result of
manifest features is only 81.0%. The main reasons we summarize are
as follows. Firstly, compared with Dex files, the size and number of
manifest files are far less. The manifest is generally less than 100kb,
while the Dex file is usually in MB, which means that the information
stored in the Dex file is more comprehensive and sufficient than the
manifest file. Moreover, it can be seen from the hexadecimal manifest
file that the content of this small file is also filled with numerous zero
characters. In other words, the information density of the manifest
file is much lower than that of the Dex file. In addition, there are
massive repetitive contents in the file, such as ‘‘Android: name’’ and
‘‘uses permission’’. On the premise of insufficient information density,
the existence of these redundant contents increases the difficulty of
feature recognition and learning. However, it is worth mentioning that
the important configuration information contained in this file is very
suitable for manual feature extraction.
5. Conclusion
With the rapid development of mobile App programming and anti-
reverse-engineering techniques, the difficulty of malware detection
is exacerbated. To address challenges in existing detection solutions
based on manual features, such as code obfuscation and limited cover-
age, we proposed an effective end-to-end Android malware detection

8
H. Zhu et al.
framework that does not rely on prior knowledge and manual fea-
tures. Specifically, the proposed method directly learns representative
features from compact Dex images based on Convolutional Neural
Network. To further capture the dependency or interaction between
different parts of each Dex image, we proposed a novel CNN vari-
ant MADRF-CNN. We conducted a series of experiments using the
dataset collected in the recent two years to verify the effectiveness
of the proposed methods, including the image cutting scheme and
the MADRF-CNN method. Additionally, we compared MADRF-CNN
with the existing state-of-the-art solutions. Experimental results demon-
strated that MADRF-CNN obtains better performance in malware de-
tection. The proposed method not only inherits the advantages of
malware detection methods based on image features, such as not
relying on manual interference and being able to deal with code
confusion technologies, but also inherits some inherent disadvantages
of such methods, such as lack of good interpretability. Therefore, we
will design more targeted and interpretable solutions based on the
inherent structure of Dex files and the visualization technology of CNN
to promote the applications of such end-to-end solutions.
CRediT authorship contribution statement
Huijuan Zhu: Conceptualization, Methodology, Writing – origi-
nal draft. Huahui Wei: Investigation, Software, Validation. Liangmin
Wang: Conceptualization, Methodology, Supervision. Zhicheng Xu:
Software, Validation. Victor S. Sheng: Conceptualization, Methodol-
ogy, Writing – review & editing.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Data availability
Data will be made available on request.
References
Alazab, M., Alazab, M., Shalaginov, A., Mesleh, A., & Awajan, A. (2020). Intelligent
mobile malware detection using permission requests and API calls. Future Generation
Computer Systems, 107, 509–521.
Alzaylaee, M. K., Yerima, S. Y., & Sezer, S. (2020). DL-Droid: Deep learning based
android malware detection using real devices. Computers & Security, 89, Article
101663.
Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., & Rieck, K. (2014). DREBIN:
Effective and explainable detection of android malware in your pocket. In Network
& distributed system security symposium (pp. 23–26).
Bakour, K., & Ünver, H. M. (2021). DeepVisDroid: Android malware detection by
hybridizing image-based features with deep learning techniques. Neural Computing
and Applications, 33(18), 11499–11516.
Bourebaa, F., & Benmohammed, M. (2020). Android malware detection using convo-
lutional deep neural networks. In 2020 international conference on advanced aspects
of software engineering (pp. 1–7).
Cai, M., Jiang, Y., Gao, C., Li, H., & Yuan, W. (2021). Learning features from enhanced
function call graphs for android malware detection. Neurocomputing, 423, 301–307.
Cai, H., Meng, N., Ryder, B., & Yao, D. (2018). Droidcat: Effective android malware
detection and categorization via app-level profiling. IEEE Transactions on Information
Forensics and Security, 14(6), 1455–1470.
Calleja, A., Martín, A., Menéndez, H. D., Tapiador, J., & Clark, D. (2018). Picking on
the family: Disrupting android malware triage by forcing misclassification. Expert
Systems with Applications, 95, 113–126.
D’Angelo, G., Palmieri, F., Robustelli, A., & Castiglione, A. (2021). Effective classifica-
tion of android malware families through dynamic features and neural networks.
Connection Science, 33(3), 786–801.
Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B., Cox, L. P., et al. (2014).
Taintdroid: An information-flow tracking system for realtime privacy monitoring
on smartphones. ACM Transactions on Computer Systems, 32(2), 1–29.
Fang, Y., Gao, Y., Jing, F., & Zhang, L. (2020). Android malware familial classification
based on dex file dection features. IEEE Access, 8, 10614–10627.
9
Expert Systems With Applications 218 (2023) 119593
Gao, H., Cheng, S., & Zhang, W. (2021). Gdroid: Android malware detection and
classification with graph convolutional network. Computers & Security, 106, Article
102264.
Ghouti, L., & Imam, M. (2020). Malware classification using compact image features
and multiclass support vector machines. IET Information Security, 14(4), 419–429.
Gibert, D., Mateu, C., & Planes, J. (2020). HYDRA: A multimodal deep learning
framework for malware classification. Computers & Security, 95, Article 101873.
GooglePlayStore (2022). Google play store. https://play.google.com/store/apps.
Haq, I. U., Khan, T. A., & Akhunzada, A. (2021). A dynamic robust DL-based model
for android malware detection. IEEE Access, 9, 74510–74521.
Hasan, H., Ladani, B. T., & Zamani, B. (2021). MEGDroid: A model-driven event
generation framework for dynamic android malware analysis. Information and
Software Technology, 135, Article 106569.
Hu, j., Shen, L., & Sun, G. (2018). Squeeze-and-excitation networks. In Proceedings of
the IEEE conference on computer vision and pattern recognition (pp. 7132–7141).
Hu, W., Tao, J., Ma, X., Zhou, W., Zhao, S., & Han, T. (2014). MIGDroid: Detecting
APP-repackaging android malware via method invocation graph. In 2014 23rd
international conference on computer communication and networks (pp. 1–7).
Huang, J., Lu, C., Ping, G., Sun, L., & Ye, X. (2020). TCN-ATT: A non-recurrent
model for sequence-based malware detection. In Pacific-asia conference on knowledge
discovery and data mining (pp. 178–190). Springer.
Kabakus, A. T. (2022). DroidMalwareDetector: A novel android malware detection
framework based on convolutional neural network. Expert Systems with Applications,
206, Article 117833.
Lakshmanarao, A., & Shashi, M. (2022). Android malware detection with deep learning
using RNN from opcode sequences. International Journal of Interactive Mobile
Technologies, 16(01), 145–157.
Li, S., Chen, J., Spyridopoulos, T., Andriotis, P., Ludwiniak, R., & Russell, G. (2015).
Real-time monitoring of privacy abuses and intrusion detection in android system.
In International conference on human aspects of information security, privacy, and trust
(pp. 379–390). Springer.
Li, D., & Li, Q. (2020). Adversarial deep ensemble: Evasion attacks and defenses
for malware detection. IEEE Transactions on Information Forensics and Security, 15,
3886–3900.
Liu, C., Li, B., Zhao, J., Su, M., & Liu, X. (2021). MG-DVD: A real-time framework for
malware variant detection based on dynamic heterogeneous graph learning. arXiv
preprint arXiv:2106.12288.
Luo, W., Li, Y., Urtasun, R., & Zemel, R. (2016). Understanding the effective recep-
tive field in deep convolutional neural networks. Advances in neural Information
processing systems, 29.
Mahindru, A., & Sangal, L. A. (2021). Mldroid-framework for android malware detection
using machine learning techniques. Neural Computing and Applications, 33(10),
5183–5240.
Marastoni, N., Continella, A., Quarta, D., Zanero, S., & Dalla Preda, M. (2017). Group-
Droid: Automatically grouping mobile malware by extracting code similarities. In
Proceedings of the 7th software security and protection workshop (pp. 1–12).
Martín, A., Rodríguez-Fernández, V., & Camacho, D. (2018). CANDYMAN: Classifying
android malware families by modelling dynamic traces with Markov chains.
Engineering Applications of Artificial Intelligence, 74, 121–133.
Meng, G., Xue, Y., Xu, Z., Liu, Y., Zhang, J., & Narayanan, A. (2016). Semantic
modelling of android malware for effective malware comprehension, detection, and
classification. In The 25th international symposium (pp. 306–317).
Millar, S., McLaughlin, N., del Rincon, J. M., & Miller, P. (2021). Multi-view deep
learning for zero-day android malware detection. Journal of Information Security
and Applications, 58, Article 102718.
Oquab, M., Bottou, L., Laptev, I., & Sivic, J. (2014). Learning and transferring mid-
level image representations using convolutional neural networks. In Proceedings of
the IEEE computer society conference on computer vision and pattern recognition (pp.
1717–1724).
Peng, D., Yu, X., Peng, W., & Lu, J. (2021). DGFAU-net: Global feature attention upsam-
pling network for medical image segmentation. Neural Computing and Applications,
33(18), 12023–12037.
QiAnXin (2021). Security situation analysis report of android platform in 2020. https:
//www.qianxin.com/threat/reportdetail?report_id=125.
Rathore, H., Sahay, S. K., Nikam, P., & Sewak, M. (2021). Robust android malware
detection system against adversarial attacks using Q-learning. Information Systems
Frontiers, 23(4), 867–882.
Sihag, V., Vardhan, M., Singh, P., Choudhary, G., & Son, S. (2021). De-LADY: Deep
learning based android malware detection using dynamic features. Journal of
Internet Services and Information Security, 11(2), 34–45.
Statista (2021). Smartphone market share. https://www.statista.com/statistics/
1236760/worldwide-smartphone-operating-system-shipment-market-share/.
Sun, T., Daoudi, N., Allix, K., & Bissyandé, T. F. (2021). Android malware detection:
Looking beyond Dalvik bytecode. In 2021 36th IEEE/ACM international conference
on automated software engineering workshops (pp. S34–39).
Surendran, R., Thomas, T., & Emmanuel, S. (2020). GSDroid: Graph signal based
compact feature representation for android malware detection. Expert Systems with
Applications, 159, Article 113581.
Vasan, D., Alazab, M., Wassan, S., Naeem, H., Safaei, B., & Zheng, Q. (2020). IMCFN:
Image-based malware classification using fine-tuned convolutional neural network
architecture. Computer Networks, 171, Article 107138.
H. Zhu et al.
VirusShare (2022). Virusshare. https://virusshare.com.
VirusTotal (2022). Virustotal. https://www.virustotal.com/gui/home/upload.
Wang, Z., Guo, Y., & Wang, J. (2021). Empower Chinese event detection with improved
atrous convolution neural networks. Neural Computing and Applications, 33(11),
5805–5820.
Wang, Q., Hassan, W. U., Li, D., Jee, K., Yu, X., Zou, K., et al. (2020). You are what
you do: Hunting stealthy malware via data provenance analysis. In 27th annual
network and distributed system security symposium.
Wang, X., Wang, W., He, Y., Liu, J., Han, Z., & Zhang, X. (2017). Characterizing android
apps’ behavior for effective detection of malapps at large scale. Future Generation
Computer Systems, 75, 30–45.
Wang, S., Zhou, G., Lu, J., & Zhang, F. (2019). A novel malware detection and
classification method based on capsule network. In International conference on
artificial intelligence and security (pp. 573–584). Springer.
Woo, S., Park, J., Lee, J., & Kweon, I. S. (2018). Cbam: Convolutional block attention
module. In Proceedings of the european conference on computer vision (pp. 3–19).
Wu, B., Chen, S., Gao, C., Fan, L., Liu, Y., Wen, W., et al. (2021). Why an android
app is classified as malware: Toward malware classification interpretation. ACM
Transactions on Software Engineering and Methodology, 30(2), 1–29.
10
Expert Systems With Applications 218 (2023) 119593
Xiao, X., & Yang, S. (2019). An image-inspired and cnn-based android malware
detection approach. In 2019 34th IEEE/ACM international conference on automated
software engineering (pp. 1259–1261). IEEE.
Xue, L., Zhou, Y., Chen, T., Luo, X., & Gu, G. (2017). Malton: Towards on-device
non-invasive mobile malware analysis for ART. In 26th USENIX security symposium
(pp. 289–306).
Yadav, P., Menon, N., Ravi, V., Vishvanathan, S., & Pham, T. D. (2022). EfficientNet
convolutional neural networks-based android malware detection. Computers &
Security, 115, Article 102622.
Zhang, W., Luktarhan, N., Ding, C., & Lu, B. (2021). Android malware detection using
TCN with bytecode image. Symmetry, 13(7), 1107.
Zhang, Z., Qi, P., & Wang, W. (2020). Dynamic malware analysis with feature
engineering and feature learning. In Proceedings of the AAAI conference on artificial
intelligence (pp. 1210–1217).
Zhou, Y. (2021). An automated pipeline for privacy leak analysis of android ap-
plications. In 2021 36th IEEE/ACM international conference on automated software
engineering (pp. 1048–1050). IEEE.
Zhu, H., Wang, L., Zhong, S., Li, Y., & Sheng, V. S. (2022). A hybrid deep network
framework for android malware detection. IEEE Transactions on Knowledge and Data
Engineering, 34(12), 5558–5570.