Android Malware Detection Based on RGB Images and Multi-feature Fusion

TL;DR

This paper introduces an innovative Android malware detection method that converts app features into RGB images and uses image classification models, achieving high accuracy and robustness against malware variants.

Contribution

It presents a novel end-to-end detection approach combining multi-feature fusion into RGB images analyzed by image classification models, outperforming traditional feature-based methods.

Findings

Achieves up to 97.25% detection accuracy.

Outperforms existing methods relying solely on DEX files.

Validates effectiveness of multi-feature fusion in malware detection.

Abstract

With the widespread adoption of smartphones, Android malware has become a significant challenge in the field of mobile device security. Current Android malware detection methods often rely on feature engineering to construct dynamic or static features, which are then used for learning. However, static feature-based methods struggle to counter code obfuscation, packing, and signing techniques, while dynamic feature-based methods involve time-consuming feature extraction. Image-based methods for Android malware detection offer better resilience against malware variants and polymorphic malware. This paper proposes an end-to-end Android malware detection technique based on RGB images and multi-feature fusion. The approach involves extracting Dalvik Executable (DEX) files, AndroidManifest.xml files, and API calls from APK files, converting them into grayscale images, and enhancing their texture features using Canny edge detection, histogram equalization, and adaptive thresholding techniques. These grayscale images are then combined into an RGB image containing multi-feature fusion information, which is analyzed using mainstream image classification models for Android malware detection. Extensive experiments demonstrate that the proposed method effectively captures Android malware characteristics, achieving an accuracy of up to 97.25%, outperforming existing detection methods that rely solely on DEX files as classification features. Additionally, ablation experiments confirm the effectiveness of using the three key files for feature representation in the proposed approach.