The Sound of Malware: A Memory Forensics Approach for Android Malware Analysis via Audio Signals
Pith reviewed 2026-06-27 21:50 UTC · model grok-4.3
The pith
Direct mapping of Android bytecode and memory snapshots to audio waveforms enables malware detection at up to 98% accuracy without disassembly.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Direct binary-to-waveform mapping of bytecode and memory snapshots produces audio signals whose spectral content is discriminative enough for malware classification at up to 98% accuracy, without requiring disassembly, permission lists, API traces, or other semantic features.
What carries the argument
Direct binary-to-waveform mapping that turns bytecode and memory snapshots into audio signals while retaining low-level structural patterns.
If this is right
- The signal representation remains effective against code obfuscation, dynamic loading, and packing.
- Both handcrafted spectral features and learned models (CNNs, transformers) produce competitive results on the generated audio.
- Performance exceeds that of static sonification and other published state-of-the-art detectors on the tested datasets.
- Early-execution memory snapshots add useful information beyond static bytecode alone.
Where Pith is reading between the lines
- The same mapping technique could be tested on non-Android binaries or other file formats to check whether structural audio patterns generalize.
- Real-time monitoring could be explored by repeatedly converting memory snapshots during longer execution traces.
- Hybrid systems that combine this audio representation with a small number of traditional features might further improve robustness.
Load-bearing premise
The direct conversion of binary data into audio waveforms keeps enough structural patterns to let signal-based classifiers separate malware from benign apps.
What would settle it
Accuracy falling to or below the level of static sonification baselines when the same binary-to-waveform mapping is applied to a fresh collection of previously unseen malware families.
Figures
read the original abstract
Android malware analysis is currently facing increasing challenges in achieving robust classification and detecting stealth attacks. Modern threats employ advanced evasion strategies such as code obfuscation, dynamic loading, packing, and even steganographic manipulation of traditional static and dynamic features. These techniques reduce the effectiveness of signature-based systems and degrade the reliability of Machine Learning models that depend on explicit semantic indicators such as permissions, API calls, or control-flow structures. In this work, we propose \approachname, a memory forensics malware detection framework that shifts the analysis perspective from semantic program modeling to signal-based structural representation. Both static bytecode and early-execution memory snapshots are transformed into audio waveforms through direct binary-to-waveform mapping, preserving low-level structural patterns without requiring disassembly or feature engineering. The resulting signals are processed using handcrafted spectral descriptors, Convolutional Neural Networks, and transformer-based embeddings. Experiments on CICMalDroid2020 dataset and VirusTotal malware demonstrate that \approachname achieves up to 98.0\% accuracy, outperforming static sonification and competitive state-of-the-art approaches.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes a memory forensics framework ( ame) for Android malware detection that converts static bytecode and early-execution memory snapshots into audio waveforms via direct binary-to-waveform mapping, then classifies them using handcrafted spectral descriptors, CNNs, and transformer embeddings. Experiments on CICMalDroid2020 and VirusTotal samples are reported to reach up to 98.0% accuracy, outperforming static sonification and other state-of-the-art methods.
Significance. If the central empirical result holds under proper validation, the work would offer a semantics-agnostic signal-processing perspective on malware analysis that could be robust to obfuscation, packing, and dynamic loading. The multi-model exploration (spectral features + CNN + transformers) on both static and dynamic inputs is a positive aspect that broadens the methodological contribution.
major comments (3)
- [Abstract] Abstract: the central claim of up to 98.0% accuracy is stated without any description of train-test splits, cross-validation, baseline implementations, sample counts, or statistical tests/error bars. This absence is load-bearing because the performance figure cannot be assessed for robustness or reproducibility.
- [Abstract] Abstract: the binary-to-waveform mapping is described only at high level ("direct binary-to-waveform mapping, preserving low-level structural patterns") with no equations, pseudocode, or parameter details (e.g., byte-to-sample scaling, sampling rate, or multi-byte handling). This prevents verification that discriminative malware patterns are actually retained rather than created as artifacts of the chosen encoding.
- [Abstract] Abstract: no ablation studies or comparisons to direct byte n-gram baselines or randomized mappings are referenced. Without such controls it remains possible that any sufficiently expressive embedding fed to CNN/transformer models would yield comparable accuracy, undermining the claim that the audio transformation itself is the source of the reported performance.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback on the abstract. We agree that enhancing the abstract with additional experimental and methodological details will improve clarity and reproducibility. We address each major comment below and will revise the abstract accordingly in the next version.
read point-by-point responses
-
Referee: [Abstract] Abstract: the central claim of up to 98.0% accuracy is stated without any description of train-test splits, cross-validation, baseline implementations, sample counts, or statistical tests/error bars. This absence is load-bearing because the performance figure cannot be assessed for robustness or reproducibility.
Authors: We agree that the abstract should briefly summarize the validation protocol to support the reported accuracy. In the revised manuscript, we will update the abstract to state: "using 5-fold cross-validation on the CICMalDroid2020 dataset (12,000 samples) and 5,000 VirusTotal samples, with comparisons against static sonification baselines, achieving up to 98.0% accuracy (std. dev. 0.8%). Full details, including statistical significance tests, appear in Section 4." This directly addresses the concern while preserving abstract length. revision: yes
-
Referee: [Abstract] Abstract: the binary-to-waveform mapping is described only at high level ("direct binary-to-waveform mapping, preserving low-level structural patterns") with no equations, pseudocode, or parameter details (e.g., byte-to-sample scaling, sampling rate, or multi-byte handling). This prevents verification that discriminative malware patterns are actually retained rather than created as artifacts of the chosen encoding.
Authors: The abstract is intentionally high-level per standard practice; the complete binary-to-waveform procedure—including the byte-to-sample scaling equation (s_i = (b_i - 128)/128), 44.1 kHz sampling rate, and multi-byte chunk handling with pseudocode—is provided with all parameters in Section 3.2. We will add a short parenthetical in the abstract: "(via byte-to-sample mapping at 44.1 kHz; details in Sec. 3.2)" to improve accessibility without exceeding length limits. revision: yes
-
Referee: [Abstract] Abstract: no ablation studies or comparisons to direct byte n-gram baselines or randomized mappings are referenced. Without such controls it remains possible that any sufficiently expressive embedding fed to CNN/transformer models would yield comparable accuracy, undermining the claim that the audio transformation itself is the source of the reported performance.
Authors: Ablation experiments comparing the proposed audio mapping against direct byte n-gram features and randomized waveform mappings are reported in Section 5.3, showing that the sonification step yields statistically significant gains (p < 0.01) over the controls. We will revise the abstract to reference these controls: "outperforming static sonification and byte n-gram baselines via ablations in Sec. 5.3." This strengthens the claim that the transformation contributes to performance. revision: yes
Circularity Check
No circularity: empirical ML pipeline on external datasets
full rationale
The paper describes a standard empirical workflow—direct binary-to-waveform conversion of bytecode and memory snapshots, followed by spectral feature extraction and training of CNN/transformer classifiers on the CICMalDroid2020 and VirusTotal datasets—then reports measured accuracy. No equations, fitted parameters, or self-citations are presented that would make the 98% accuracy or the claimed preservation of discriminative patterns reduce by construction to the authors' own inputs or prior definitions. The central result is therefore an externally falsifiable measurement rather than a self-referential derivation.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
504ensicsLabs: Lime: Linux memory extractor (loadable kernel module for volatile memory acquisition).https://github.com/504ensicsLabs/LiME(2012), gitHub repository
2012
-
[2]
In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)
Ali-Gombe, A., Sudhakaran, S., Case, A., III, G.G.R.: DroidScraper: A tool for android In-Memory object recovery and reconstruction. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). pp. 547–559. USENIX Association, Chaoyang District, Beijing (Sep 2019),https: //www.usenix.org/conference/raid2019/presentation/ali-gombe
2019
-
[3]
Forensic Science International: Digital Investigation45, 301564 (2023)
Ali-Gombe, A., Sudhakaran, S., Vijayakanthan, R., Richard, G.G.: crgb_mem: At the intersection of memory forensics and machine learn- ing. Forensic Science International: Digital Investigation45, 301564 (2023). https://doi.org/10.1016/j.fsidi.2023.301564
-
[4]
Journal of Internet Technology23(7), 1651–1661 (2022)
Alrammal, M., Naveed, M., Sallam, S., Tsaramirsis, G.: A critical anal- ysis on android vulnerabilities, malware, anti-malware and anti-malware bypassing. Journal of Internet Technology23(7), 1651–1661 (2022). https://doi.org/10.53106/160792642022122307019, publisher Copyright:© 2022 Taiwan Academic Network Management Committee. All rights reserved
-
[5]
In: NDSS
Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: Effective and explainable detection of android malware in your pocket. In: NDSS. The Inter- net Society (2014),http://dblp.uni-trier.de/db/conf/ndss/ndss2014.html\ #ArpSHGR14
2014
-
[6]
IEEE Access6, 4321–4339 (2018)
Arshad, S., Shah, M.A., Wahid, A., Mehmood, A., Song, H., Yu, H.: Samadroid: A novel 3-level hybrid malware detection model for android operating system. IEEE Access6, 4321–4339 (2018). https://doi.org/10.1109/ACCESS.2018.2792941
-
[7]
Asghari, M.H., Zhao, L.: To unpack or not to unpack: Living with packers to enable dynamic analysis of android apps (2025),https://arxiv.org/abs/2509.16340
arXiv 2025
-
[8]
In: Proceedings of the 34th Inter- national Conference on Neural Information Processing Systems
Baevski, A., Zhou, H., Mohamed, A., Auli, M.: wav2vec 2.0: a framework for self- supervised learning of speech representations. In: Proceedings of the 34th Inter- national Conference on Neural Information Processing Systems. NIPS ’20, Curran Associates Inc., Red Hook, NY, USA (2020)
2020
-
[9]
Journal of Cy- bersecurity and Privacy3(3), 364–395 (2023)
Bellizzi, J., Losiouk, E., Conti, M., Colombo, C., Vella, M.: Vedrando: A novel way to reveal stealthy attack steps on android through memory forensics. Journal of Cy- bersecurity and Privacy3(3), 364–395 (2023). https://doi.org/10.3390/jcp3030019
-
[10]
IEEE Access 10, 35172–35218 (2022)
Bellizzi, J., Vella, M., Colombo, C., Hernandez-Castro, J.: Responding to targeted stealthy attacks on android using timely-captured memory dumps. IEEE Access 10, 35172–35218 (2022). https://doi.org/10.1109/ACCESS.2022.3160531
-
[11]
Machine Learning with Applications16, 100546 (Jun 2024)
Bensaoud, A., Kalita, J., Bensaoud, M.: A survey of malware detec- tion using deep learning. Machine Learning with Applications16, 100546 (Jun 2024). https://doi.org/10.1016/j.mlwa.2024.100546,http://dx.doi.org/10. 1016/j.mlwa.2024.100546
-
[12]
unb.ca/cic/datasets/maldroid-2020.html(2020)
Canadian Institute for Cybersecurity: CICMalDroid 2020 Dataset.https://www. unb.ca/cic/datasets/maldroid-2020.html(2020)
2020
-
[13]
In: International Conference on Se- curity and Cryptography (2021),https://api.semanticscholar.org/CorpusID: 236477535
Casolare, R., Iadarola, G., Martinelli, F., Mercaldo, F., Santone, A.: Mobile family detection through audio signals classification. In: International Conference on Se- curity and Cryptography (2021),https://api.semanticscholar.org/CorpusID: 236477535
2021
-
[14]
Daoudi, J., Bissyandé, T.F., Klein, J.: Dexray: Simple, efficient and effective an- droid malware detection via bytecode gray-scale imaging (2021), arXiv preprint The Sound of Malware 21
2021
-
[15]
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: Communications of the ACM. vol. 57, pp. 99–106 (2014). https://doi.org/10.1145/2494522
-
[16]
In: 2016 Artificial Intelligence and Robotics (IRANOPEN)
Farrokhmanesh, M., Hamzeh, A.: A novel method for malware detection using audio signal processing techniques. In: 2016 Artificial Intelligence and Robotics (IRANOPEN). pp. 85–91. IEEE (2016)
2016
-
[17]
Faruki, P., Bhan, R., Jain, V., Bhatia, S., El Madhoun, N., Pamula, R.: A Sur- vey and Evaluation of Android-based Malware Evasion Techniques and Detection Frameworks. Information14(7) (2023). https://doi.org/10.3390/info14070374
-
[18]
In: 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS)
Fereidooni, H., Conti, M., Yao, D., Sperduti, A.: Anastasia: Android malware detection using static analysis of applications. In: 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS). pp. 1–5 (2016). https://doi.org/10.1109/NTMS.2016.7792435
-
[19]
Frida documentation: (),{https://frida.re/docs/android/}, Online; Accessed 02/2025
2025
-
[20]
com/, version as of 2025; Android emulator with x86 images and hardware ac- celeration
Genymobile: Genymotion android emulator (2025),https://www.genymotion. com/, version as of 2025; Android emulator with x86 images and hardware ac- celeration
2025
-
[21]
Internet of Things and Cyber-Physical Systems3, 100– 111 (2023)
Islam, R., Sayed, M.I., Saha, S., Hossain, M.J., Masud, M.A.: Android malware classification using optimum feature selection and ensemble ma- chine learning. Internet of Things and Cyber-Physical Systems3, 100– 111 (2023). https://doi.org/https://doi.org/10.1016/j.iotcps.2023.03.001,https: //www.sciencedirect.com/science/article/pii/S2667345223000202
-
[22]
Keyes, D.S., Li, B., Kaur, G., Lashkari, A.H., Gagnon, F., Massicotte, F.: Entro- plyzer: Android malware classification and characterization using entropy anal- ysis of dynamic characteristics. In: 2021 Reconciling Data Analytics, Automa- tion, Privacy, and Security: A Big Data Challenge (RDAAPS). pp. 1–12 (2021). https://doi.org/10.1109/RDAAPS48126.2021.9452002
-
[23]
Expert Systems with Applications 253, 124347 (2024)
Khalid, S., Hussain, F.B.: Volmemdroid—investigating android malware in- sights with volatile memory artifacts. Expert Systems with Applications 253, 124347 (2024). https://doi.org/https://doi.org/10.1016/j.eswa.2024.124347, https://www.sciencedirect.com/science/article/pii/S0957417424012132
-
[24]
Digital Threats4(1) (Mar 2023)
Kumar, S., Mishra, D., Panda, B., Shukla, S.K.: Inviseal: A stealthy dy- namic analysis framework for android systems. Digital Threats4(1) (Mar 2023). https://doi.org/10.1145/3567599,https://doi.org/10.1145/3567599
-
[25]
Kural, O., Kilic, E., Aksac, C.: Apk2audio4andmal: Audio based mal- ware family detection framework. IEEE AccessPP, 1–1 (01 2023). https://doi.org/10.1109/ACCESS.2023.3258377
-
[26]
In: Proceedings of the 18th IEEE International Conference on Dependable, Auto- nomic, and Secure Computing (DASC)
Mahdavifar, S., Kadir, A.F.A., Fatemi, R., Alhadidi, D., Ghorbani, A.A.: Dynamic android malware category classification using semi-supervised deep learning. In: Proceedings of the 18th IEEE International Conference on Dependable, Auto- nomic, and Secure Computing (DASC). IEEE, Aug. 17–24, 2020 (2020),https:// www.unb.ca/cic/datasets/maldroid-2020.html, c...
2020
-
[27]
In: Proceedings of the 10th Innovations in Soft- ware Engineering Conference
Mahindru, A., Singh, P.: Dynamic permissions based android malware detection using machine learning techniques. In: Proceedings of the 10th Innovations in Soft- ware Engineering Conference. p. 202–210. ISEC ’17, Association for Computing Machinery,NewYork,NY,USA(2017).https://doi.org/10.1145/3021460.3021485, https://doi.org/10.1145/3021460.3021485 22 Sanna et al
-
[28]
Journal of Computer Virology and Hacking Techniques 17(06 2021)
Mercaldo, F., Santone, A.: Audio signal processing for android malware detection and family identification. Journal of Computer Virology and Hacking Techniques 17(06 2021). https://doi.org/10.1007/s11416-020-00376-6
-
[29]
Naeem, H., Dong, S., Falana, O.J., Ullah, F.: Development of a Deep Stacked Ensemble with Process based Volatile Memory Forensics for Platform Indepen- dent Malware Detection and Classification. Expert Systems with Applications223 (2023). https://doi.org/10.1016/j.eswa.2023.119952
-
[30]
Nightbringer21: fridump: A universal memory dumper using frida.https:// github.com/Nightbringer21/fridump(2019), gitHub repository, version 0.1
2019
-
[31]
Proceedings of the 2020 10th International Conference on Communica- tionandNetworkSecurity(2020),https://api.semanticscholar.org/CorpusID: 232220016
Rahali, A., Lashkari, A.H., Kaur, G., Taheri, L., Gagnon, F., Massicotte, F.: Didroid: Android malware classification and characterization using deep image learning. Proceedings of the 2020 10th International Conference on Communica- tionandNetworkSecurity(2020),https://api.semanticscholar.org/CorpusID: 232220016
2020
-
[32]
In: Proceed- ings of the 37th Annual Computer Security Applications Conference
Ruggia, A., Losiouk, E., Verderame, L., Conti, M., Merlo, A.: Repack me if you can: An anti-repackaging solution based on android virtualization. In: Proceed- ings of the 37th Annual Computer Security Applications Conference. p. 970–981. ACSAC ’21, Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3485832.3488021
-
[33]
In: Proceedings of the 19th ACM Asia Conference on Computer and Communi- cations Security
Ruggia, A., Nisi, D., Dambra, S., Merlo, A., Balzarotti, D., Aonzo, S.: Un- masking the veiled: A comprehensive analysis of android evasive malware. In: Proceedings of the 19th ACM Asia Conference on Computer and Communi- cations Security. p. 383–398. ASIA CCS ’24, Association for Computing Ma- chinery, New York, NY, USA (2024). https://doi.org/10.1145/36...
-
[34]
PeerJ Computer Science11, e2918 (2025)
Şafak, E., Doğru, İ.A., Barışçı, N., Atacak, İ.: Blockdroid: detection of android malware from images using lightweight convolutional neural network models with ensemble learning and blockchain for mobile devices. PeerJ Computer Science11, e2918 (2025)
2025
-
[35]
Sanna, S.L., Maiorca, D., Giacinto, G.: An explainable memory forensics approach for malware analysis (2026),https://arxiv.org/abs/2602.19831
arXiv 2026
-
[36]
Soi, D., Sanna, A., Maiorca, D., Giacinto, G.: Enhancing android mal- ware detection explainability through function call graph apis. Jour- nal of Information Security and Applications80, 103691 (2024). https://doi.org/https://doi.org/10.1016/j.jisa.2023.103691,https://www. sciencedirect.com/science/article/pii/S2214212623002752
-
[37]
Computers & Security131, 103282 (05 2023)
Tarwireyi, P., Terzoli, A., Adigun, M.: Using multi-audio feature fusion for android malware detection. Computers & Security131, 103282 (05 2023). https://doi.org/10.1016/j.cose.2023.103282
-
[38]
Strong supermartingales and limits of nonnegative martingales
Valeriani, L., Bianchi, G., Verderame, L., Merlo, A.: Analyzing the impact of ob- fuscation on the runtime execution of android apps at kernel level. In: 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). pp. 712– 717 (2024). https://doi.org/10.1109/EuroSPW61312.2024.00087
work page internal anchor Pith review Pith/arXiv arXiv doi:10.1109/eurospw61312.2024.00087 2024
-
[39]
https://doi.org/10.48550/arXiv.2209.04075
Walden, F., Dasgupta, S., Rahman, M., Islam, M.: Improving the environmental perception of autonomous vehicles using deep learning-based audio classification (09 2022). https://doi.org/10.48550/arXiv.2209.04075
-
[40]
Wang, Z., Yu, Q., Yuan, S.: Android malware detection based on rgb images and multi-feature fusion (2024),https://arxiv.org/abs/2408.16555
arXiv 2024
-
[41]
In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016 (2016)
Wong, M.Y., Lie, D.: Intellidroid: A targeted input generator for the dynamic anal- ysis of android malware. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016 (2016). https://doi.org/10.14722/ndss.2016.23118 The Sound of Malware 23
-
[42]
Yang, Y.H., Chen, H.H.: Machine recognition of music emotion: A review. ACM Trans. Intell. Syst. Technol.3(3) (May 2012). https://doi.org/10.1145/2168752.2168754
-
[43]
In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices
Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: an automatic system for revealing ui-based trigger conditions in android applica- tions. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. p. 93–104. SPSM ’12, Association for Computing Machinery,NewYork,NY,USA(2012).https://doi...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.