What is it about?
Android malware changes over time, so a detector trained on old apps can become less reliable when new apps appear. This work presents ALARM, a method for keeping Android malware detection useful for several years without repeatedly retraining the model. Instead of treating every app in the same way, ALARM looks at patterns in the Android functions that apps use together, groups apps with similar behavior, trains specialized detectors for those groups, and then combines the most relevant detectors for each new app. We tested the method by training it on apps from 2014–2017 and evaluating it on apps from 2018–2023. The best version achieved about 90% F1-score, suggesting that structural patterns in app behavior can help malware detection remain stable as threats evolve.
Featured Image
Photo by Privecstasy on Unsplash
Why is it important?
Malware detection systems often lose accuracy because attackers change their behavior and the Android app ecosystem evolves over time. A common response is to retrain detection models frequently, but this can be costly, unstable, and difficult to operate at scale. This work is important because it focuses on long-term detection without retraining. ALARM uses stable behavioral structures in Android API usage and combines multiple specialized detectors, allowing the system to adapt its decision for each new app while keeping the model fixed. This makes the approach relevant for real-world security systems that need reliable, scalable, and reproducible protection against newly emerging Android malware.
Perspectives
From my perspective, the main motivation for this work was the gap between benchmark performance and real-world usefulness. A malware detector can perform well on data from one period, but still fail when malware behavior changes in later years. I wanted to study a stricter and more realistic setting: train the model only on older Android apps, then test whether it can remain reliable on future apps without retraining. The most valuable part of this work is that it shows how graph-based behavioral structure and specialized local detectors can make malware detection more sustainable over time. It also points to the next research direction: combining static features with dynamic behavior and developing more flexible expert-routing methods for stronger long-term robustness.
Kyoungmin Roh
Dankook University
Read the Original
This page is a summary of: ALARM: An Adaptive Android Malware Detection Framework with Leiden-based Clustering and Mixture-of-Experts Classification, March 2026, ACM (Association for Computing Machinery),
DOI: 10.1145/3748522.3779797.
You can read the full text:
Contributors
The following have contributed to this page
