LLM-Generated Samples for Android Malware Detection
This addresses data scarcity for Android malware detection researchers, but is incremental as it builds on existing synthetic data methods with LLMs.
The study tackled the challenge of limited and imbalanced datasets for Android malware detection by using fine-tuned GPT-4.1-mini to generate synthetic malware samples for three families, finding that augmenting real data with synthetic data preserved high detection performance with only minor degradations, while synthetic-only training yielded mixed results.
Android malware continues to evolve through obfuscation and polymorphism, posing challenges for both signature-based defenses and machine learning models trained on limited and imbalanced datasets. Synthetic data has been proposed as a remedy for scarcity, yet the role of large language models (LLMs) in generating effective malware data for detection tasks remains underexplored. In this study, we fine-tune GPT-4.1-mini to produce structured records for three malware families: BankBot, Locker/SLocker, and Airpush/StopSMS, using the KronoDroid dataset. After addressing generation inconsistencies with prompt engineering and post-processing, we evaluate multiple classifiers under three settings: training with real data only, real-plus-synthetic data, and synthetic data alone. Results show that real-only training achieves near perfect detection, while augmentation with synthetic data preserves high performance with only minor degradations. In contrast, synthetic-only training produces mixed outcomes, with effectiveness varying across malware families and fine-tuning strategies. These findings suggest that LLM-generated malware can enhance scarce datasets without compromising detection accuracy, but remains insufficient as a standalone training source.