International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.

1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

A Multimodal Machine Learning Approach for Android Malware Detection:

Static Code Analysis
Ayesha Faiz*1, Muhammad Fuzail2, Anum Aftab3, Naeem Aslam4, Ahsan Jamal Akbar5
1-4
Department of Computer Science, NFC-IET University Multan, Pakistan.
5
Shanghai Jiao Tong University, Shanghai, China.

Corresponding Author: Ayesha Faiz (ayeshafaiz221@gmail.com)

ABSTRACT
The widespread use of Android devices has made them prime targets for various forms of malware, including Android
Trojans, adware, and botnets. Despite existing detection systems, the dynamic and evolving nature of these threats
calls for more robust detection methods. This study aims to enhance Android malware detection by combining static
code analysis with dynamic behavioral features through a multimodal machine learning framework. We propose a
multimodal model that integrates static features such as code structure and metadata with dynamic features like real-
time behavior analysis during application execution. Experimental results demonstrate that our multimodal approach
significantly outperforms traditional single-mode detection methods, achieving superior precision, recall, and overall
detection accuracy. By utilizing diverse datasets, feature extraction techniques, and independent model training for
each modality, our approach shows promise for real-world application in mobile security solutions. This research also
highlights potential future directions for further enhancement of malware detection through advanced machine
learning techniques, thus contributing to the strengthening of mobile security frameworks.

Keyword: Android malware detection; Static code analysis; Dynamic behavioral analysis; Machine learning
algorithms; Malware detection techniques; Mobile security

1. INTRODUCTION
In today’s digital era, Android devices are ubiquitous, becoming essential tools for communication, business, and
entertainment worldwide. This widespread adoption has, however, made Android devices prime targets for malware,
with cybercriminals increasingly exploiting vulnerabilities in the Android operating system. Mobile phones currently
comprise sufficient hardware that offers an equivalent number of services and applications than other personal
computers. So, malicious applications or hackers take advantage of the lack of security and limited system capabilities
and design mobile-specific malware that access the most sensitive data or deny access to devise functions. The
evolution of Android malware, from simple threats to more complex and sophisticated attacks, has raised significant
concerns regarding the privacy and security of mobile users. Given the exponential rise in Android-based threats, it is
crucial to address the growing security risks posed by malware targeting Android devices. Recently more studies target
this problem for Android malware detection systems rely predominantly on single-mode approaches, such as static
code analysis or dynamic behavioral analysis, which fail to address the full spectrum of modern threats. Static analysis
is limited by its inability to assess real-time behaviors, while dynamic analysis alone struggles with resource efficiency
and scalability [1, 2]. As a result, current methods cannot adequately detect evolving threats like polymorphic malware
or advanced persistent threats, leaving users and devices vulnerable [3, 4]. This gap necessitates the development of a
multimodal approach that combines the strengths of both static and dynamic analysis to improve detection accuracy
and robustness.

As the popularity of Android devices continues to surge, so does the sophistication of the malware targeting them. In
fact, Android malware has evolved from simple SMS Trojans to more advanced threats that can hide from detection
and execute multiple types of attacks [5]. With over 100,000 new Android malware variants identified each year, the
current state of mobile security has never been more critical. This rapid rise in mobile threats underscores the urgent
need for improved malware detection mechanisms. Traditional detection methods, such as signature-based and
heuristic analysis, have shown to be insufficient in handling the complexity of today’s malware [6, 7]. These methods
are limited in detecting polymorphic malware, which constantly changes its signature, and often generate false
positives that disrupt the detection process. The widespread reliance on single-mode detection further emphasizes the
inadequacy of current solutions in addressing the full spectrum of emerging threats [2]. As a result, there is an urgent
need for more comprehensive, adaptive, and real-time solutions to improve Android malware detection.

20
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

This study proposes a novel solution to this challenge by employing a multimodal machine learning framework that
combines static code analysis and dynamic behavioral analysis to improve detection accuracy and efficiency. By
integrating these two approaches [8-15], we can enhance the identification of both known and unknown malware,
thereby reducing the limitations of single-method detection systems. The ability to apply machine learning to dynamic
data in real time makes this approach particularly timely, as it allows for quicker detection and better adaptation to
evolving threats. Given the growing volume and sophistication of Android malware, this study aims to contribute to
the development of more effective, real-time malware detection systems. The results of this research will not only
address the current limitations of Android security but also offer a scalable solution for future threats[16]. As such,
the need for this research is both relevant and urgent—as Android malware continues to evolve, so too must our
approaches to detecting and mitigating these threats.

This study is organized in a systematic manner whereby Section 2 presents a concise introduction to Android malware
and the significance of permissions, alongside a succinct examination of the Modal. Correspondingly, in Section 2,
we analyze pertinent literature regarding methodologies associated with Android malware. In Section 3, we elaborate
on the proposed framework and subsequently engage in a discussion of the findings, concluding in the conclusion.

2. LITERATURE REVIEW
An extensive body of literature exists pertaining to the analysis of malware specifically for the Android operating
system. The increasing complexity and proliferation of Android malware necessitate advanced detection techniques.
Traditional methods such as signature-based detection are often insufficient against new and sophisticated malware.
This section reviews the current state of research in Android malware detection using multimodal machine learning
(ML) techniques, focusing on static code analysis and dynamic behavioral features [17, 18]. Android, developed by
Google, is the most widely used mobile operating system, powering billions of devices globally. Its open-source nature
and vast app ecosystem make it a target for malware developers. Android employs a permission-based security model
and sandboxing to isolate applications. Each app operates in its own sandbox, and access to critical system resources
is controlled through permissions granted by the user at installation or runtime. Different Applications framework to
shown as such Figure 1 .

Figure 1: Android Operating System Architecture

21
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

2.1 Static Code Analysis Techniques

Static code analysis inspects an app's code without executing it, making it efficient and fast for scanning large numbers
of applications. TaintDroid [19] tracks sensitive data flow through app permissions to detect privacy violations. This
technique revealed that many apps misuse permissions, which could lead to data leaks. Drebin [20] uses a combination
of features such as permissions, API calls, and hardware components to classify apps, achieving high detection rates.
However, static analysis faces limitations, such as difficulty handling code obfuscation and the inability to detect
runtime behaviors. Techniques like Droid Ranger [21] attempt to address some of these by using control flow graphs
and string analysis to detect obfuscated malware.

2.2 Dynamic Behavioral Feature Analysis

Dynamic analysis observes an app during execution, enabling detection of malicious behaviors that static analysis
might miss. For example, ANANAS [22] monitors system calls to identify deviations from normal behavior, while
Crowdroid [23] uses crowd-sourced data to detect network anomalies associated with malware. Machine learning
models applied to network traffic patterns [24] and resource usage patterns [12, 25] have also been used to detect
malware by recognizing unusual behaviors. However, dynamic analysis can be resource-intensive and is vulnerable
to evasion techniques, where malware detects and alters its behavior when it recognizes it is being analyzed. To show
as Table 1 Comparative Analysis of Multimodal machine learning techniques

Table 1. Comparative Analysis of Multimodal machine learning techniques

Study Static Features Dynamic Model Dataset Performance Metrics

Features
[18] Permission, API calls System calls Ensembles of Custom Accuracy: 95%, Recall: 92%,
SVM dataset of F1-Socre: 91% Precision: 90%
10,000 apps

[26] Code structure Network traffic Hybrid model AndroZoo Accuracy: 93%, Recall: 90%,
patterns F1-Socre: 89% Precision: 88%
[27] API calls Resource Deep neural Google Paly Accuracy: 97%, Recall: 95%,
usage patterns network Store dataset F1-Socre: 94.5% Precision:
94%
[28] Opcode sequences API calls, Static, AndroZoo Accuracy: 93%, F1 Score:
Runtime Dynamic 92%
behavior
[3] Features from APK Execution Static, Malgenome, Accuracy: 94%, AUC: 0.93
files traces Dynamic Drebin

2.3 Critical Analysis

From the literature, we observe that while static and dynamic techniques are useful, both methods have inherent
weaknesses. Static analysis, while fast and efficient, struggles with obfuscation and misses runtime behavior. Dynamic
analysis, on the other hand, detects behaviors but is resource-intensive and vulnerable to evasion. Machine learning
approaches are increasingly used to improve accuracy but may require large labeled datasets and can be prone to
overfitting [29]. Multimodal approaches, combining static and dynamic features, show promise but introduce
computational complexity and higher resource usage. The critical challenge lies in balancing detection accuracy with
the computational efficiency needed for mobile environments.

2.4 Identification of Research Gaps

The key gap identified in the research is the reliance on single-modality approaches, either static or dynamic, for
malware detection. Static analysis is effective for large datasets but cannot detect runtime behavior or obfuscated code.
Dynamic analysis, while comprehensive, consumes considerable resources and is vulnerable to evasion. The need for
a multimodal machine learning framework that can combine the strengths of both techniques is critical to enhancing
malware detection accuracy while being efficient enough for mobile devices with limited resources.

2.5 Challenges and Limitations

Despite progress, several challenges persist in Android malware detection:

22
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

a) Evasion Techniques: Malware authors use techniques like code obfuscation, polymorphism, and anti-analysis
to evade detection, making it difficult for traditional methods to identify threats.

b) Scalability: With the vast number of Android apps available, ensuring scalable detection systems is a
significant challenge [30].

c) Real-Time Detection: Malware detection needs to be efficient and operate in real-time without overburdening
device resources. Real-time detection algorithms that balance resource usage and detection accuracy are
essential.

d) Adversarial Attacks: Machine learning models are vulnerable to adversarial attacks [31], where small
modifications to input data can trick the model into misclassifying malware.

The future research avenues in this area are constructing complex multimodal ML frameworks, incorporating
enhanced deep learning paradigms [21], generating big and diverse datasets, and applying XAI tools to increase
understanding of the proposed Malware identification systems.

3. RESEARCH METHODOLOGY
The primary goal of this research is to design and compare a novel multimodal machine learning framework for
detecting Android malware, incorporating both static and dynamic analysis. Static analysis involves examining an
app's code without executing it. This method is efficient and works well for scanning many apps quickly by identifying
known malware patterns, code structures, and suspicious permission [32, 33]. However, it struggles with new malware
that uses obfuscation techniques or dynamic code loading to hide malicious actions during runtime. Dynamic analysis,
on the other hand, monitors the app's behavior while it is running. This approach tracks API calls, network activity,
file system changes, and interactions with the operating system to detect previously unseen types of malwares. While
effective at identifying new or advanced threats, dynamic analysis is resource-intensive and can be evaded by malware
designed to behave innocuously in emulated environments.

Our proposed multimodal approach combines both static and dynamic analysis, addressing the weaknesses of each
method and improving overall detection capabilities. This combined approach has been shown to increase the accuracy
of malware detection and expand the range of detectable malware types [10]. By training multimodal machine learning
models, we aim to achieve superior detection performance compared to single-modality methods, providing better
protection against sophisticated malware. The shown as Figure 2 to provide the general of the whole research process.

Figure 2. Overview of the Research Design

3.1 Data Collection

23
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

For this research, malware and benign app samples were collected from well-known sources. Malware samples were
obtained from databases like VirusTotal and AndroZoo, which provide access to a wide range of malware samples.
VirusTotal is a widely used repository for known threats, while AndroZoo offers a diverse set of APK files, including
novel malware variants [34] .For benign apps, the Google Play Store was the primary source, providing a wide array
of legitimate apps. By selecting samples from authoritative sources, we ensured a balanced dataset, which is crucial
for training accurate machine learning models.

Table 2. Summarized Data Collection

Sample Source Number Data
Type of Categories Collected
Sample
Malware VirusTotal 1,500 Adware, January
Ransomware, 2024
Spyware
Benign Google 1,200 Social media, February
Play Utilities 2024

3.2 Feature Extraction

Feature extraction begins by decompiling Android APK files using tools like JADX and APKTool. JADX translates
APK files into Java source code, while APKTool decompiles them into smali code (Android bytecode). These tools
help us examine the static aspects of an app without executing it [1, 35]. We focus on analyzing the
AndroidManifest.xml file, which defines an app’s components and permissions. Permissions requested by an app can
indicate potential security threats—applications that request more permissions than necessary are flagged as
potentially risky.

3.2.1 Static Code Analysis

The decompilation process involves converting Android APK files back into their original source code or a form that
is readable and analyzable. Tools such as JADX and APKTool are commonly used for this purpose. JADX is a popular
open-source decompiler that translates APK files into Java source code, making it easier to analyze the structure and
content of an application [36]. APKTool, on the other hand, disassembles APK files into smali code, a human-readable
format of Android bytecode, and also allows for the reconstruction of the APK after modifications. These tools
facilitate a deeper inspection of the app’s static components without the need for execution.

The AndroidManifest.xml file within an APK contains essential information about the application, including its
permissions, components (activities, services, broadcast receivers, and content providers), [37] intents, and other
configuration details. Analyzing this file helps in extracting permissions requested by the app, which can be indicative
of its potential behavior and security risks. For instance, an app requesting excessive or unnecessary permissions might
be flagged as suspicious. Manifest analysis also includes identifying the app’s entry points and defined intents [38],
which are crucial for understanding its interaction with the system and other apps.

Bytecode analysis involves examining the app's compiled code to extract various features. This process can uncover
API calls, control flow graphs, and specific code patterns that are indicative of malicious behavior. API call analysis
identifies which system or third-party APIs are invoked by the app, revealing potential security threats or malicious
activities. Control flow graphs represent the execution paths within the code, helping to detect unusual or suspicious
control flows that might suggest malicious intent [1]. Code patterns, such as obfuscation techniques or the presence
of certain bytecode instructions, can also be indicative of malware.

3.2.2 Dynamic Behavioral Analysis

Dynamic behavioral analysis requires executing the app in a controlled environment to observe its runtime behavior.
This is typically done using sandboxing or emulation environments such as DroidBox or Cuckoo Sandbox. These
environments simulate the Android operating system, allowing apps to run as they would on a real device. The setup
includes configuring the sandbox or emulator to capture all relevant interactions and activities of the app during
execution.
Monitoring the execution of the app involves using various tools and techniques to trace system calls, analyze network
traffic, and monitor file system changes [39]. System call tracing tools track the system-level interactions of the app,

24
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

revealing its underlying operations. Network traffic analysis tools capture and analyze data packets sent and received
by the app, identifying potential communication with malicious servers [40]. Monitoring file system changes involves
tracking modifications made by the app to the device’s storage, such as creating, modifying, or deleting files.
In addition, we conduct bytecode analysis, which helps identify API calls and control flow graphs. These elements
highlight any suspicious activity in the app's behavior [41]. For example, API calls can indicate attempts to interact
with potentially malicious system or third-party functions, while control flow analysis can detect irregular behavior
patterns that may suggest malware. Algorithm 1 provides a general process for static and dynamic analysis, followed
by feature extraction and classification.

Algorithm 1. Feature Extraction and Classification

Input: Executable APK

Output: List of API calls
from androguard.core.bytecodes import dvm
def extract_api_calls(apk_path):
d = dvm.DalvikVMFormat(open(apk_path, 'rb').read())
api_calls = set()
for method in d.get_methods():
if method.get_code() is not None:
for call in method.get_instructions():
if call.get_name() == "invoke":
api_calls.add(call.get_method_name())
return api_calls

3.3 Data Pre-processing

This is true in any large set of data, including when different sources and analytical types of data are used, there may
be blanks. How to deal with missing data is a very important question if we are to work with a clean dataset. The
techniques include imputation or deletion. Imputation requires replacement of missing values with some values, such
as mean, median, or mode in the case of numerical data [21], mode in case of categorical data. Other methods such as
K-Nearest Neighbors (KNN) or regression imputation may also be used for better results. In certain circumstances for
example when the percentage of missing values is low, observation with missing values can be deleted. The process
of enhancing the stability and performance of a given machine learning algorithm by transforming values of the input
numerical features of samples to a similar range is called normalization. For instance, there is a tactics referred to as
the min-max scaling which standardises features to the range 0-1, and there is z-score normalisation that scales feature
to mean standard error [4]. For the reason of avoiding domination of learning process of particular feature values, the
tasks involve normalizing the data collected.

3.4 Development Environment

The proposed multimodal machine learning model was developed using Python, a versatile language with powerful
libraries for data analysis and machine learning. Key libraries used include:
scikit-learn: Used for implementing traditional machine learning algorithms and performing tasks like data
preprocessing and model evaluation [42].

TensorFlow and Keras: Employed to build and train deep learning models, particularly for handling complex neural
network structures.

Pandas and NumPy: Used for efficient data manipulation, handling large datasets, and performing mathematical
operations [43].

Androguard and APKTool have also been used for static analysis of APK files. Androguard is a full Python tool used
for extracting features, permissions, and API calls from Android apps. Whereas the development environment includes
Jupyter Notebook for creating interactive code and visualizing results, and PyCharm for Python-based code
development, debugging, and versioning.

3.5 Model Implementation

25
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

In the case of our machine learning model, the RandomForestClassifier has been selected. This choice is also made
possible by the fact that this model is best suited for datasets containing features of different types as well as results
in model interpretability. The RandomForestClassifier works by train a set of decision trees during training and returns
the mode of classes in the case of classification problems, and the means of the predictions of individual trees in case
of regression problems. This makes it ideal for our work since it allows for the handling of the mixed type of data
arising from the different feature modalities and offers a measure of the relevance of each feature [21].

3.5.1 Model Selection

Types of Models: In the context of detecting Android malware using multimodal machine learning techniques, various
types of machine learning models are considered. Decision Trees, which create a tree-like model of decisions, are
simple yet effective for interpretability. Random Forests, an ensemble method using multiple decision trees [44],
enhance accuracy and robustness by reducing overfitting. Support Vector Machines (SVM) are effective for high-
dimensional spaces and can be used for classification by finding the optimal hyperplane. Neural Networks, particularly
deep learning models, are powerful for complex patterns and relationships in data. Ensemble Methods, which combine
multiple models to improve performance, such as boosting and bagging, are also explored for their robustness and
enhanced predictive power.

Selection Criteria: The selection of machine learning models is based on several criteria. The ability to handle
multimodal data, integrating both static and dynamic features, is crucial. Scalability is important to ensure the model
can handle large datasets efficiently [45]. Robustness to overfitting and noise in the data is another key criterion.
Additionally, previous success in malware detection tasks provides a proven track record for certain models, making
them preferable choices. Models that can balance interpretability and predictive power are particularly valuable in
cybersecurity applications.

3.5.2 Model Training

In training, this involved using the training data set to fit the RandomForestClassifier. The XGB model
hyperparameters like n_estimators and random_state is defined to get the best model out of the XGB algorithm. The
training stage ensures that the model acquires the knowledge prohibited applications or applications that behave
differently from normal ones have from the given data set.

3.6 Multimodal Approach

3.6.1 Integration of Static and Dynamic Features
Combining static and dynamic features into a single feature set is crucial for a comprehensive malware detection
system. Several methods can be used for this purpose:

Concatenation: Directly combining static and dynamic features into a single vector. This simple and straightforward
approach retains all the information but can lead to high-dimensional feature spaces.
Feature Embedding: Transforming features into a lower-dimensional space where both static and dynamic features
can be combined effectively. Techniques such as autoencoders or embedding layers in neural networks can be used.

Ensemble Models: Building separate models for static and dynamic features and combining their predictions using
techniques like voting, averaging, or stacking. This approach leverages the strengths of individual models and
improves overall performance.

3.6.2 Challenges and Solutions

Integrating static and dynamic features presents several challenges:
Varying Feature Scales: Static and dynamic features often have different scales. Normalization or standardization
techniques are used to bring them to a comparable scale.
Different Feature Types: Static features might be categorical (e.g., permissions), while dynamic features are often
continuous (e.g., system call frequencies). Encoding techniques, such as one-hot encoding for categorical features,
can be used to handle this.

Feature Correlation: Some features might be highly correlated, leading to redundancy. Dimensionality reduction
techniques, like Principal Component Analysis (PCA), can help in identifying and eliminating redundant features.

26
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

3.6.3 Model Architecture:

A detailed design of the multimodal model architecture includes the following components:
Input Layers: Separate input layers for static and dynamic features. Each input layer processes its respective feature
set before combining them.

Hidden Layers: Intermediate layers that transform and learn representations from the input features. These layers can
include dense layers, convolutional layers, or recurrent layers, depending on the model type.

Fusion Layer: A layer where static and dynamic features are combined. This can be a simple concatenation layer or a
more complex interaction layer that learns relationships between the two feature sets.

Output Layers: The final layer(s) that produce the classification output (e.g., malware or benign) based on the
combined features. This can be a single output layer for binary classification or multiple output layers for multi-class
classification. This shown as Figure 3 to explain the architecture of the machine learning models.

Figure 3: Architecture of ML Models

4. RESULT AND DISCUSSION
4.1 Experimental Results
Our proposed framework is based on a hybrid analysis that requires good computational resources for both static and
dynamic analysis. Both static and dynamic analyses have particular requirements for computational resources. The
dynamic analysis requires more resources when contrasted with the static analysis. The subsequent algorithms were
executed employing the default configurations of the Sci-kit Learn library: Decision Tree (DT), Random Forest (RF),
K-Nearest Neighbour (K-NN), Support Vector Machine (SVM), Naive Bayes (NB), and Multilayer Perceptron (MLP).
Figures 4 and 5 illustrate the training and testing accuracy as well as the loss throughout the duration of 5 epochs for
each of the five folds involved in the 5-fold cross-validation for the initial run, with the conclusive evaluation outcomes
presented in the uppermost row of Table 2, which details the accuracy, precision, recall, and F1 scores across 5 distinct
cross-fold executions, culminating in the mean of these finalized assessments. Table 2 provides a comparative analysis
of the proposed methodology against other renowned classifiers with respect to Accuracy, Precision, Recall, and F1,
utilizing the framework of 5-fold cross-validation.

To show as such Figure 4 illustrates the training and testing accuracy metrics of the proposed Multi-Layer Perceptron
(MLP) model across five epochs. The training accuracy demonstrates a rapid ascent during the initial two epochs as
the model acquires knowledge, surpassing the threshold of 95%. Concurrently, the testing accuracy exhibits a steady
enhancement, signifying effective generalization. The negligible disparity between training and testing accuracies
indicates minimal overfitting. The slight variations observed can be attributed to the randomization of sample order
for each training batch across epochs. By the conclusion of epoch five, the model reaches convergence, with final
training and testing accuracies approximating 98%, which is consistent with the robust outcomes presented in Table
2. This outcome corroborates the malware detection efficacy inherent to the MLP architecture.

27
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

:
Figure 4: Training and test accuracy over epochs

Figure 5 presents the training and testing loss curves over epochs. As expected during model convergence, the loss
decreases over time for both training and testing data. The testing loss follows but slightly exceeds the training loss,
reflecting a small generalization gap. Minor spikes are attributed to shuffling samples between epoch batches. Lower
loss directly correlates with higher accuracy, so the final low losses validate the excellent accuracy achieved. In
summary, the loss plots confirm successful training of the MLP model to accurately classify Android Botnets based
solely on permissions.

28
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

Figure 5: Modal loss over epochs

4.2 Features
Better classification results can be achieved if we add more features to the data set. Yet, sometimes keeping a large
number of redundant features not only increases the learning time but also affect the reliability and accuracy of the
classification rate obtained. Irrelevant and redundant features can confuse classifiers and decrease the detection rate.
Therefore, the reduction in high-dimension of feature instances by removing irrelevant features is an essential
requirement. We performed a separate feature selection phase to select those attributes of the data set which are most
appropriate and helpful in identifying application class. Before performing feature selection, we have cleaned our data
set by removing redundant features to shown as such Figure 6. Normally the decision of keeping or removing a specific
set of features relies upon the platform which provides that features. In this way, while performing feature selection
we have given more consideration to the features provided by the Android platform.

29
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

0.167021

0.094532
0.086820.085119
0.083407
0.078547 0.077852
Range 0-1

0.065289 0.059781

0.022111

Series 1

Axis Title

Figure 6: Top-Ranked Static Features by InfoGain Method

4.3 Confusion Matrix

4.3.1 Accuracy:
It is calculated as the ratio of true positives and true negatives to the total number of samples can be calculated as
Equation (1) [46-50].
𝑇𝑃+𝑇𝑁
𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = (1)
𝑇𝑃+𝐹𝑃+𝑇𝑁+𝐹𝑁

4.3.2 Precision and Recall:

Precision: It is the ratio of true positives to the sum of true positives and false positives. High precision indicates a
low false positive rate. It can be calculated from Equation (2) [51].
𝑇𝑃
𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 = (2)
𝑇𝑃+𝐹𝑃

Recall: High recall indicates a low false negative rate. Out of the total positive, what percentage are predicted positive.
It is the same as TPR (true positive rate). Recall can be determined from Equation (3) [25, 52, 53]
𝑇𝑃
𝑅𝑒𝑐𝑎𝑙𝑙 = (3)
𝑇𝑃+𝐹𝑁
4.3.3 F1-Score:
The F1-Score ensures that both false positives and false negatives are minimized. F1- Score can be determined from
Equation (4) [54-56] .

2∗(𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛∗𝑅𝑒𝑐𝑎𝑙𝑙
𝐹1 𝑠𝑐𝑜𝑟𝑒 = (4)
(𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛+𝑅𝑒𝑐𝑎𝑙𝑙)

30
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

Table 3. Evaluation Results

Execution No Accuracy % Precision % Recall % F1 % Training Testing

Time(s) Time(s)

Run 1 98.35 98.51 98.19 98.34 600 0.5

Run 2 98.53 98.41 98.67 98.53 300 0.3

Run 3 97.76 97.21 98.35 97.77 200 0.2

Run 4 98.91 98.83 98.99 98.90 400 0.4

Run 5 97.65 97.61 97.71 97.65 500 0.7

Average 98.24 98.11 98.38 98.24 - -

To show as such Table 4 present study elucidates the results acquired from the suggested methodology employing
Convolutional Neural Networks (CNN) in comparison to other relevant investigations that have utilized traditional
Machine Learning techniques. The data presented in the table demonstrates that the proposed methodology exhibits a
high degree of efficacy in distinguishing between benign and malicious Adware applications. The outcomes I obtained,
characterized by elevated accuracy, signify that my approach is capable of effectively identifying malicious Adware
on Android devices solely based on the permissions granted, utilizing a finely tuned CNN model.

Table 4. Comparisons with the other works

Reference Type Method Accuracy Precision Recall F1
% % % %
AdStop (Alani Network MLP 95.7 94.7 93.9 93.7
& Awad, Traffic
2022b)
(Dobhal et al., Adware LR 96.0 94.5 94.9 94.6
2020) Behavior LDA 96.2 94.3 95.7 95.0
K-NN 95.1 92.4 95.2 93.6
DT 94.2 92.2 91.8 92.5
NB 68.8 71.2 77.1 67.0
(Lee & Park, Features Dynamic 96.6 95.1 95.4 95.1
2020) Random
Forest
AdDetect Module of SVM 95.4 93.7 94.1 93.8
(Narayanan et apps
al., 2014)
MadDroid Permissions CNN 98.24 98.11 98.38 98.24

5. DISCUSSION
The experimental results and comparisons provide significant insights into the efficacy of the proposed Convolutional
Neural Network (CNN)-based method for detecting and classifying Android Adware. Here, we discuss the
implications, strengths, limitations, and potential future directions of this research. The proposed CNN-based method
achieved an average accuracy of 98.24%, precision of 98.11%, recall of 98.38%, and F1 score of 98.24% across 5-
fold cross-validation. These results indicate a high level of performance in distinguishing between benign and
malicious Adware applications. The minimal gap between training and testing accuracy, as shown in Figures 4 and 5,
suggests that the model generalizes well to unseen data with little overfitting. This demonstrates the robustness of the

31
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

CNN architecture in learning relevant patterns from the permission features of Android applications. When compared
to other classifiers and existing methods, the proposed CNN method outperformed traditional machine learning
algorithms such as Decision Tree (DT), Random Forest (RF), K-Nearest Neighbor (K-NN), Support Vector Machine
(SVM), Naive Bayes (NB), and Multilayer Perceptron (MLP). Table 3 highlights that while methods like Random
Forest and K-Nearest Neighbor also achieved high accuracy, they fell short of the performance achieved by the CNN
model. In light of the research work discussed in Table 3, the proposed method outperforms many of the most
significant previous studies by accuracy and efficiency. For instance, AdStop method with MLP was 95.7 percent
accurate, although Dobhal et al. (2020) obtained 96.0 percent accurate result with Logistic Regression and 96.2 percent
with Linear Discriminant Analysis. The use of Permission feature for high accuracy classification by the proposed
CNN model can be perhaps regarded as a considerable improvement over these existing techniques. The results further
affirm mobile security potential of machine learning especially deep learning. Even though Adware can be rank by
other means or by using other methods, the proposed method would assist in categorizing Adware and decreasing the
risk of hazardous advertisements on Android devices. This poses a huge challenge to end-users and app developer
since it highlights the need for incorporating advanced detection mechanisms to mobile security.

6. CONCLUSION
In this study, a multimodal machine learning framework has been presented and tested for the identification of Android
malware using static code analysis methodology. Hitherto, we have presented a new approach to extract feature from
numerous static code assets of android application such as permissions, API calls, opcodes, and manifest files. When
we employ all of these combined features, there is a better ability to cover the overall and more complex spectrum of
the application’s activity and ill-intent in our case. We have used a base of different classifier algorithms including a
Random Forest classifier and the SVM classifier during the first step of our approach; additionally, we have used deep
learning techniques during the second step of the process. In our experiments we showed that the incorporation of
multimodal features leads to the improvement of performance of those models, which leads to higher detection rates
and lower false positive rates as compared to models that operate within a single modality only. Our proposed scheme
was tested and validated using a standard dataset of Android applications. The study demonstrated that our proposed
approach of the multimodal machine learning framework is more effective than traditional state- of-the-art static code
analysis techniques for the primary presentation measures including the accuracy rate, precision, recall poles and the
F1-score. This goes well to show how our proposed strategy can efficiently detect suspicious apps. Since a large
number of images are involved in our proposed multimodal approach, the feature extraction and the machine learning
models were optimized for scalability. This makes it possible to opt for our system in practical conditions in which
numerous of programs have to be researched.

6. APPLICATION OF PROPOSED WORK AND FUTURE WORK

Thus, despite our study having given positive results for the subject, there are specific areas for further research and
improvement. These include the following:

We hope that dynamic analysis methods are integrated into our present static analysis system in future studies. Static
analysis takes care of the examination of an application source code to identify flaws before the operational phase,
while dynamic analysis examines the program reaction during the use in a controlled environment, and may gather
more information that could have not been otherwise seen in the static analysis phase. When these two methods of
analysis are used together, it is possible that even better protection against malware will be achieved. Our detection
system has the possibility of increasing its precision and stability with even more development of better features. It
also involved perhaps the identification of novel types of features that have not been seen as well as improvement on
the existing types of features with a view to more accurate definition of the miscreant applications. The second
direction of research for improvement of the work can be the consideration of ensemble learning methods where
several machine learning models are working in parallel to make their predictive estimates as this approach could be
used to improve the performance of the proposed detection system. The future research should focus on expanding
more measures concerning the detection as well as prevention of adversarial examples where the attackers will design
inputs in a way that will make them go unnoticed by the machine learning algorithms. Making our machine learning
models more explainable and interpretable is beneficial for gaining stakeholder’s trust. Explaining how our models
come to the given decision may be done with the help of some tools: SHapley Additive exPlanations (SHAP) or Local
Interpretable Model-agnostic Explanations (LIME).

Summing up, this research has shown that machine learning-based static code analysis of Android applications
combined with cheating breath detection for multimodal data is efficient in the task of malware detection. In this paper,

32
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

we followed a wide range of features and state-of-the-art machine learning algorithms to establish a comprehensive
and efficient detection system. By building the foundation for the future studies and proposing solutions for
overcoming the identified challenges, our work invites for further development of the presented methodologies and
utilization of the points for improving the security of Android applications.

REFERENCE
[1] S. Han, H. Yun, and Y. Park, "Deep Learning for Cybersecurity Classification: Utilizing Depth-Wise CNN
and Attention Mechanism on VM-Obfuscated Data," Electronics, vol. 13, no. 17, p. 3393, 2024.
[2] P. Chen, S. Tian, X. Wang, X. Pei, W. Nong, and H. Zhang, "Efficient malware detection through inter-
component communication analysis," Cluster Computing, pp. 1-16, 2024.
[3] M. Alazab, R. A. Khurma, D. Camacho, and A. Martín, "Enhanced Android Ransomware Detection Through
Hybrid Simultaneous Swarm-Based Optimization," Cognitive Computation, pp. 1-15, 2024.
[4] Y. Liu, H. Fan, J. Zhao, J. Zhang, and X. Yin, "Efficient and Generalized Image-Based CNN Algorithm for
Multi-Class Malware Detection," IEEE Access, 2024.
[5] F. Mercaldo, F. Martinelli, and A. Santone, "Deep Convolutional Generative Adversarial Networks in Image-
Based Android Malware Detection," Computers, vol. 13, no. 6, p. 154, 2024.
[6] P. Mishra et al., "CloudIntellMal: An advanced cloud based intelligent malware detection framework to
analyze android applications," Computers and Electrical Engineering, vol. 119, p. 109483, 2024.
[7] R. Raphael and P. Mathiyalagan, "Intelligent hyperparameter-tuned deep learning-based Android malware
detection and classification model," Journal of Circuits, Systems and Computers, vol. 32, no. 11, p. 2350191,
2023.
[8] V. Das, B. B. Nair, and R. Thiruvengadathan, "A Novel Feature Encoding Scheme for Machine Learning
Based Malware Detection Systems," IEEE Access, 2024.
[9] A. S. de Oliveira and R. J. Sassi, "Chimera: an android malware detection method based on multimodal deep
learning and hybrid analysis," Authorea Preprints, 2023.
[10] X. Deng, X. Pei, S. Tian, and L. Zhang, "Edge-based IIoT malware detection for mobile devices with
offloading," IEEE Transactions on Industrial Informatics, vol. 19, no. 7, pp. 8093-8103, 2022.
[11] M. Dhalaria and E. Gandotra, "Android malware detection techniques: A literature review," Recent Patents
on Engineering, vol. 15, no. 2, pp. 225-245, 2021.
[12] S. Fiza, A. K. Kumar, V. S. Devi, C. N. Kumar, and A. Kubra, "Improved chimp optimization algorithm
(ICOA) feature selection and deep neural network framework for internet of things (IOT) based android
malware detection," Measurement: Sensors, vol. 28, p. 100785, 2023.
[13] M. G. Gaber, M. Ahmed, and H. Janicke, "Malware detection with artificial intelligence: A systematic
literature review," ACM Computing Surveys, vol. 56, no. 6, pp. 1-33, 2024.
[14] K. S. Jhansi, P. R. K. Varma, and S. Chakravarty, "Swarm optimization and machine learning for android
malware detection," Computers, Materials & Continua, vol. 73, no. 3, 2022.
[15] C. Jiang, K. Yin, C. Xia, and W. Huang, "Fedhgcdroid: An adaptive multi-dimensional federated learning for
privacy-preserving android malware classification," Entropy, vol. 24, no. 7, p. 919, 2022.
[16] R. Ma, S. Yin, X. Feng, H. Zhu, and V. S. Sheng, "A lightweight deep learning-based android malware
detection framework," Expert Systems with Applications, p. 124633, 2024.
[17] H. Rong, Z. Chen, Z. Lu, F. Xu, and V. S. Sheng, "Multization: Multi-Modal Summarization Enhanced by
Multi-Contextually Relevant and Irrelevant Attention Alignment," ACM Transactions on Asian and Low-
Resource Language Information Processing, vol. 23, no. 5, pp. 1-29, 2024.
[18] B. Molina-Coronado, U. Mori, A. Mendiburu, and J. Miguel-Alonso, "Towards a fair comparison and realistic
evaluation framework of android malware detectors based on static analysis and machine learning,"
Computers & Security, vol. 124, p. 102996, 2023.
[19] D. V. Nguyen, G. L. Nguyen, T. T. Nguyen, A. H. Ngo, and G. T. Pham, "Minad: Multi-inputs neural network
based on application structure for android malware detection," Peer-to-Peer Networking and Applications,
pp. 1-15, 2022.
[20] M. Dhalaria and E. Gandotra, "Binary and multi-class classification of Android applications using static
features," International Journal of Applied Management Science, vol. 15, no. 2, pp. 117-140, 2023.
[21] M. S. Akhtar, "Analyzing and comparing the effectiveness of various machine learning algorithms for
Android malware detection," Advances in Mobile Learning Educational Research, vol. 3, no. 1, pp. 570-578,
2023.
[22] S. Altaha and K. Riad, "Machine Learning in Malware Analysis: Current Trends and Future Directions,"
International Journal of Advanced Computer Science & Applications, vol. 15, no. 1, 2024.

33
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

[23] E. Amer, I. Zelinka, and S. El-Sappagh, "A multi-perspective malware detection approach through behavioral
fusion of api call sequence," Computers & Security, vol. 110, p. 102449, 2021.
[24] D. Chen, P. Wawrzynski, and Z. Lv, "Cyber security in smart cities: a review of deep learning-based
applications and case studies," Sustainable Cities and Society, vol. 66, p. 102655, 2021.
[25] D. Soi, A. Sanna, D. Maiorca, and G. Giacinto, "Enhancing android malware detection explainability through
function call graph APIs," Journal of Information Security and Applications, vol. 80, p. 103691, 2024.
[26] Y. Zhou, G. Cheng, S. Yu, Z. Chen, and Y. Hu, "MTDroid: A Moving Target Defense based Android Malware
Detector against Evasion Attacks," IEEE Transactions on Information Forensics and Security, 2024.
[27] H.-I. Kim, M. Kang, S.-J. Cho, and S.-I. Choi, "Efficient deep learning network with multi-streams for
android malware family classification," IEEE Access, vol. 10, pp. 5518-5532, 2021.
[28] S. S. Ahmad and K. K. Prasad, "A Novel Machine Learning Framework for Analyzing Performance of
Different Prediction Models by Using Automatic Malware Detection (AMD) Algorithm," Apex Journal of
Business and Management, vol. 1, no. 1, pp. 11-20, 2023.
[29] Q. Qiao, R. Feng, S. Chen, F. Zhang, and X. Li, "Multi-label classification for android malware based on
active learning," IEEE Transactions on Dependable and Secure Computing, 2022.
[30] D. Sahu, S. Narayan Tripathy, and S. Kumar Kapat, "Strengthening Android Malware Detection: from
Machine Learning to Deep Learning," International Journal of Computing and Digital Systems, vol. 16, no.
1, pp. 1-10, 2024.
[31] A. Wajahat et al., "Outsmarting Android Malware with Cutting-Edge Feature Engineering and Machine
Learning Techniques," Computers, Materials & Continua, vol. 79, no. 1, 2024.
[32] J. A. Johny, G. Radhamani, and M. Conti, "Deep Learning Fusion For Effective Malware Detection:
Leveraging Visual Features," arXiv preprint arXiv:2405.14311, 2024.
[33] M. H. Khan, A. R. Javed, Z. Iqbal, M. Asim, and A. I. Awad, "DivaCAN: Detecting in-vehicle intrusion
attacks on a controller area network using ensemble learning," Computers & Security, vol. 139, p. 103712,
2024.
[34] M. Chaudhary and A. Masood, "RealMalSol: real-time optimized model for Android malware detection using
efficient neural networks and model quantization," Neural Computing and Applications, vol. 35, no. 15, pp.
11373-11388, 2023.
[35] H. Gao, S. Cheng, and W. Zhang, "GDroid: Android malware detection and classification with graph
convolutional network," Computers & Security, vol. 106, p. 102264, 2021.
[36] H.-j. Zhu, Y. Li, L.-m. Wang, and V. S. Sheng, "A multi-model ensemble learning framework for imbalanced
android malware detection," Expert Systems with Applications, vol. 234, p. 120952, 2023.
[37] H. Huang, W. Huang, Y. Zhou, W. Luo, and Y. Wang, "FEdroid: Lightweight and Interpretable Detection of
Android Malware Using Local Key Information and Feature Selection," 2024.
[38] S.-J. Hwang and H. Chung, "An android malware detector using deep learning hybrid model," The CICET,
p. 3, 2020.
[39] A. Raza, Z. H. Qaisar, N. Aslam, M. Faheem, M. W. Ashraf, and M. N. Chaudhry, "TL‐GNN: Android
Malware Detection Using Transfer Learning," Applied AI Letters, p. e94, 2023.
[40] A. Pinhero et al., "Malware detection employed by visualization and deep neural network," Computers &
Security, vol. 105, p. 102247, 2021.
[41] O. J. Falana, A. S. Sodiya, S. A. Onashoga, and B. S. Badmus, "Mal-Detect: An intelligent visualization
approach for malware detection," Journal of King Saud University-Computer and Information Sciences, vol.
34, no. 5, pp. 1968-1983, 2022.
[42] Y. He, Y. Liu, L. Wu, Z. Yang, K. Ren, and Z. Qin, "Msdroid: Identifying malicious snippets for android
malware detection," IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 3, pp. 2025-2039,
2022.
[43] M. N. Al-Andoli, S. C. Tan, K. S. Sim, C. P. Lim, and P. Y. Goh, "Parallel Deep Learning with a hybrid BP-
PSO framework for feature extraction and malware classification," Applied Soft Computing, vol. 131, p.
109756, 2022.
[44] W. Zhao, J. Wu, and Z. Meng, "AppPoet: Large Language Model based Android malware detection via multi-
view prompt engineering," arXiv preprint arXiv:2404.18816, 2024.
[45] B. Zou, C. Cao, L. Wang, Y. Cheng, and J. Sun, "Feature graph construction with static features for malware
detection," arXiv preprint arXiv:2404.16362, 2024.
[46] P. Razzaghi, K. Abbasi, M. Shirazi, and S. Rashidi, "Multimodal brain tumor detection using multimodal
deep transfer learning," Applied Soft Computing, vol. 129, p. 109631, 2022.

34
 International Journal of Information Systems and Computer Technologies (IJISCT) Vol. 4, No.1
ISSN: 2791-3635(Print), 2791-3643(Online). DOI: https://doi.org/10.58325/ijisct.004.01.0109

[47] V. Reddy, N. Kolli, and N. Balakrishnan, "Malware detection and classification using community detection
and social network analysis," Journal of Computer Virology and Hacking Techniques, vol. 17, no. 4, pp. 333-
346, 2021.
[48] G. Renjith, P. Vinod, and S. Aji, "Evading machine-learning-based Android malware detector for IoT
devices," IEEE Systems Journal, vol. 17, no. 2, pp. 2745-2755, 2022.
[49] H. Rodriguez-Bazan, G. Sidorov, and P. J. Escamilla-Ambrosio, "Android Malware Classification Based on
Fuzzy Hashing Visualization," Machine Learning and Knowledge Extraction, vol. 5, no. 4, pp. 1826-1847,
2023.
[50] D. Zhang et al., "Android Malware Detection Based on Hypergraph Neural Networks," Applied Sciences,
vol. 13, no. 23, p. 12629, 2023.
[51] E. Amer and S. El-Sappagh, "Robust deep learning early alarm prediction model based on the behavioural
smell for android malware," Computers & Security, vol. 116, p. 102670, 2022.
[52] A. Alzubaidi, "Detecting android malware using deep learning algorithms: A survey," Computers and
Electrical Engineering, vol. 119, p. 109544, 2024.
[53] P. Tarwireyi, A. Terzoli, and M. O. Adigun, "Meta-SonifiedDroid: Metaheuristics for Optimizing Sonified
Android Malware Detection," IEEE Access, 2024.
[54] L. Shu, S. Dong, H. Su, and J. Huang, "Android malware detection methods based on convolutional neural
network: A survey," IEEE Transactions on Emerging Topics in Computational Intelligence, vol. 7, no. 5, pp.
1330-1350, 2023.
[55] S. Siddiqui and T. A. Khan, "An Overview of Techniques for Obfuscated Android Malware Detection," SN
Computer Science, vol. 5, no. 4, p. 328, 2024.
[56] V. Sihag, G. Choudhary, M. Vardhan, P. Singh, and J. T. Seo, "PICAndro: Packet InspeCtion‐Based Android
Malware Detection," Security and Communication Networks, vol. 2021, no. 1, p. 9099476, 2021.

35