The Sound of Malware: A Memory Forensics Approach for Android Malware Analysis via Audio Signals
For Android malware analysts, this work introduces a novel signal-based representation to bypass evasion techniques like obfuscation and packing, offering a robust alternative to traditional semantic features.
The paper proposes a memory forensics framework for Android malware detection that converts bytecode and memory snapshots into audio waveforms, achieving up to 98.0% accuracy on CICMalDroid2020 and VirusTotal datasets, outperforming static sonification and competitive state-of-the-art methods.
Android malware analysis is currently facing increasing challenges in achieving robust classification and detecting stealth attacks. Modern threats employ advanced evasion strategies such as code obfuscation, dynamic loading, packing, and even steganographic manipulation of traditional static and dynamic features. These techniques reduce the effectiveness of signature-based systems and degrade the reliability of Machine Learning models that depend on explicit semantic indicators such as permissions, API calls, or control-flow structures. In this work, we propose \approachname, a memory forensics malware detection framework that shifts the analysis perspective from semantic program modeling to signal-based structural representation. Both static bytecode and early-execution memory snapshots are transformed into audio waveforms through direct binary-to-waveform mapping, preserving low-level structural patterns without requiring disassembly or feature engineering. The resulting signals are processed using handcrafted spectral descriptors, Convolutional Neural Networks, and transformer-based embeddings. Experiments on CICMalDroid2020 dataset and VirusTotal malware demonstrate that \approachname achieves up to 98.0\% accuracy, outperforming static sonification and competitive state-of-the-art approaches.