Integrating APK Image and Text Data for Enhanced Threat Detection: A Multimodal Deep Learning Approach to Android Malware
Md Mashrur Arifin, Maqsudur Rahman, Nasir U. Eisty
TL;DR
This paper tackles Android malware detection by first scrutinizing how image representations (color space and resolution) affect image-based detection, and then exploring multimodal fusion of image data with textual APK metadata. It systematically evaluates eight CNN architectures across RGB and grayscale images at 128x128, 256x256, and 512x512 resolutions, identifying RGB 512x512 with deep nets like ResNet-152 and EfficientNet-B4 as providing top performance (up to ~97% accuracy and ROC-AUC ~0.992). It also experiments with a prompt-based textual annotation pipeline using LLaMA-2 and a CLIP-based multimodal fusion approach, but finds limited gains from multimodal integration due to a small dataset (34 image-text pairs), with CLIP achieving around 0.5 accuracy and malware recall of 0.0. The study concludes that while RGB high-resolution image representations are effective, robust multimodal gains require larger, more diverse datasets and advanced fusion methods. The work provides practical guidelines for image Attribute choices and highlights future directions for scalable, real-world Android malware detection in multimodal frameworks.
Abstract
As zero-day Android malware attacks grow more sophisticated, recent research highlights the effectiveness of using image-based representations of malware bytecode to detect previously unseen threats. However, existing studies often overlook how image type and resolution affect detection and ignore valuable textual data in Android Application Packages (APKs), such as permissions and metadata, limiting their ability to fully capture malicious behavior. The integration of multimodality, which combines image and text data, has gained momentum as a promising approach to address these limitations. This paper proposes a multimodal deep learning framework integrating APK images and textual features to enhance Android malware detection. We systematically evaluate various image types and resolutions across different Convolutional Neural Networks (CNN) architectures, including VGG, ResNet-152, MobileNet, DenseNet, EfficientNet-B4, and use LLaMA-2, a large language model, to extract and annotate textual features for improved analysis. The findings demonstrate that RGB images at higher resolutions (e.g., 256x256, 512x512) achieve superior classification performance, while the multimodal integration of image and text using the CLIP model reveals limited potential. Overall, this research highlights the importance of systematically evaluating image attributes and integrating multimodal data to develop effective malware detection for Android systems.
