Experiments were conducted on two distinct hardware configurations to ensure comprehensive evaluation across different computing environments. The first setup utilized an Intel Core i5 processor with 40 GB RAM and an NVIDIA GeForce RTX 3050 Ti GPU, running Windows 11. The second setup employed an Intel Xeon processor paired with an NVIDIA H100 GPU, operating on a Linux (Debian) environment.
In both configurations, the Python v.3.12 programming language was used with the core libraries, ensuring consistency in the analytical workflow. The AndroZoo dataset was used for experimentation across both platforms.
The following sections demonstrate the detailed breakdown of experimental evaluation across five classifiers. Each of the individual classifier sections describes the settings used and outcomes of the evaluations, with platform-specific considerations noted where applicable. Later in the section, we discuss the comparative results and performance observations across the two hardware environments.
4.1. Evaluation Metrics
To rigorously assess the predictive performance of the proposed model, we employed a comprehensive suite of classification metrics: Accuracy, Precision, Recall, F1-Score, and False Positive Rate (FPR). Let , , , and denote the number of true positives, true negatives, false positives, and false negatives, respectively, as derived from the model’s confusion matrix.
Accuracy quantifies the overall proportion of correctly classified instances across both classes:
Precision measures the reliability of positive predictions by calculating the proportion of predicted positives that are truly positive:
Recall (also termed Sensitivity or True Positive Rate) assesses the model’s capacity to correctly identify all actual positive instances:
The F1-Score provides the harmonic mean of Precision and Recall, offering a balanced evaluation that is particularly robust in the presence of class imbalance:
To ensure reliable and reproducible estimation of model generalization, we employ stratified K-fold cross-validation throughout the experimental pipeline. This approach guarantees that each fold preserves the original 1:1 benign-to-malware class ratio, thereby mitigating sampling bias and ensuring statistically consistent validation splits. The evaluation is configured with K = 5 folds and a fixed random seed (random_state = 42) to guarantee deterministic partitioning and full reproducibility. In each iteration, the model is trained on four folds and evaluated on the held-out fold, yielding out-of-sample predictions and calibrated probabilities for leakage-free performance estimation. Classification metrics-Accuracy, Precision, Recall, F1-Score are computed per fold, and final results are reported as macro-averaged means ± standard deviations across five folds. This protocol is consistently applied to classical ML baselines, Transformer fine-tuning, and LLM-based adaptation stages, effectively preventing data leakage while minimizing overfitting risks in high-dimensional feature spaces.
To further ensure methodological rigor and prevent optimistic bias in performance estimation, several safeguards against data leakage and dataset contamination were enforced throughout the experimental pipeline. First, duplicate APK samples were eliminated through SHA-256 hash verification to ensure that no identical applications appeared multiple times across the corpus. Second, train-validation separation was maintained at the APK level under a stratified 5-fold cross-validation protocol, guaranteeing that samples used for evaluation remained entirely unseen during training. To mitigate family-level leakage, malware family distributions were carefully monitored across folds to reduce the risk of closely related variants appearing simultaneously in both training and validation partitions. In addition, potential version-level contamination was minimized by filtering redundant or near-identical application versions whenever applicable. Finally, all preprocessing operations-including feature selection, ranking, normalization, and sequence construction-were performed independently within each training fold and subsequently applied to the corresponding validation fold, thereby preserving full train/test independence and preventing indirect information transfer between partitions.
Statistical Significance Testing
To assess whether observed performance differences were statistically meaningful, all metrics were reported as macro-averaged mean ± standard deviation across stratified 5-fold cross-validation (random_state = 42). Pairwise comparisons were performed between the Random Forest baseline and each advanced detection paradigm. Depending on the distribution of fold-wise performance differences, either paired two-tailed
t-tests or Wilcoxon signed-rank tests were employed. To account for multiple comparisons, the Bonferroni correction was applied across the four primary comparisons, resulting in an adjusted significance threshold of αadj = 0.0125. The results of the statistical comparisons are reported in
Table A1, including mean F1-scores, performance differences relative to the Random Forest baseline, selected statistical tests, and corresponding
p-values. These analyses complement the reported performance metrics by evaluating whether observed numerical differences reflect statistically reliable improvements.
4.2. Standard ML Algorithms
4.2.1. Feature Selection
To address the high-dimensional and heterogeneous nature of static APK feature spaces, this study adopts a hybrid ensemble feature selection strategy that systematically integrates filter, wrapper, and embedded methods. Let
denote the feature matrix with
APK samples and
initial features, and
the corresponding binary labels (benign/malware). The selection pipeline proceeds as follows: First, correlation-based redundancy reduction eliminates one feature from each pair
satisfying
, where Pearson’s correlation coefficient is computed as
Second, three complementary selection mechanisms are applied in parallel: (i) Univariate statistical screening ranks features by the ANOVA F-statistic
and mutual information
, capturing both linear separability and non-linear dependencies; (ii) Tree-based importance estimation employs a Random Forest ensemble
to compute Gini importance for feature
:
where
denotes samples at node
,
the total training samples, and
the impurity reduction achieved by the split; (iii) L1-regularized selection solves the convex optimization problem:
retaining features with
, where
is selected via 5-fold cross-validation. Third, to synthesize method-specific rankings into a robust consensus, scores are normalized to
via min-max scaling
(with inversion for ranking-based methods) and aggregated through a weighted ensemble:
The final feature subset comprises the top- features by ensemble score. This methodological path was deliberately chosen for three principal reasons. First, Android malware datasets often contain thousands of correlated permissions, API calls, and structural metrics; relying on a single selection criterion risks overlooking context-dependent or interaction-driven signals critical for distinguishing obfuscated malware variants. Second, ensemble aggregation reduces the variance and method-specific bias inherent in individual selectors—e.g., filter methods ignore feature dependencies (), while wrapper methods may overfit to the training distribution—thereby enhancing generalizability across diverse malware families. Third, by preserving a transparent, multi-criteria ranking process, the framework supports forensic interpretability: security analysts can trace selected features back to their methodological origins (e.g., a permission flagged by both -test and Random Forest), facilitating hypothesis generation about malicious behavioral patterns. Therefore, this approach not only optimizes downstream classification performance but also aligns with the operational requirements of explainable, reproducible, and adaptive Android malware analysis.
4.2.2. Standard ML Algorithms and Results
To establish rigorous empirical baselines and systematically evaluate the discriminative capacity of the selected APK features, we implement a comprehensive classification pipeline comprising six canonical supervised learning algorithms: Random Forest (RF), Gradient Boosting (GB), Logistic Regression (LR), Support Vector Machine (SVM), Decision Tree (DT), and -Nearest Neighbors (KNN). These models were deliberately chosen to span a wide spectrum of inductive biases—ranging from linear decision boundaries and probabilistic generative assumptions to non-parametric distance metrics and sequential ensemble aggregation—thereby mitigating model-specific failure modes and ensuring a thorough, unbiased assessment of feature utility across diverse learning paradigms. Prior to training, the feature matrix undergoes zero-imputation for missing entries and standardization via , which is essential for scale-sensitive learners (SVM, KNN, LR) to converge reliably and avoid dominance by high-variance features. Model evaluation employs stratified -fold cross-validation () with fixed randomization, partitioning the dataset into disjoint folds while preserving the original malware-to-benign class ratio. For each fold, the hypothesis is trained on the training partition and yields out-of-sample predictions and calibrated class probabilities, enabling leakage-free performance estimation.
Classification efficacy is quantified using macro-averaged accuracy, and per-class precision, recall, and F1-scores. These metrics collectively capture both overall discriminative power and class-stratified performance, which is critical in security contexts where the cost of false negatives (undetected malware) and false positives (benign apps flagged as malicious) is asymmetric and operationally significant. Accuracy provides a global measure of correct classifications, while AUC summarizes the model’s ability to rank malicious samples above benign ones across all decision thresholds. Precision, recall, and F1-score further decompose performance at the class level, enabling targeted analysis of detection sensitivity versus alarm reliability.
This methodological trajectory is explicitly chosen for three interrelated reasons. First, Android malware detection operates in a high-dimensional, conceptually noisy, and often imbalanced feature space; deploying a heterogeneous suite of well-characterized classical algorithms establishes a statistically sound baseline that isolates feature quality from architectural overfitting or hyperparameter exploitation. Second, stratified cross-validation coupled with standardized preprocessing guarantees that performance estimates reflect true generalization capability rather than data leakage or scale-induced bias, which is particularly critical for margin-based (SVM) and distance-based (KNN) learners. Third, the explicit reporting of both aggregate and class-stratified metrics aligns with operational cybersecurity requirements: high recall minimizes undetected malware (reducing false negatives), while controlled precision limits false alarms that would overwhelm security analysts or trigger alert fatigue. By systematically benchmarking these computationally efficient, interpretable, and theoretically grounded models prior to deploying deep or black-box architectures, the pipeline adheres to the principle of parsimony, ensuring that any subsequent performance gains are attributable to genuine representational advances rather than optimization artifacts. This classification framework not only quantifies the discriminative power of the engineered APK features but also provides a transparent, reproducible, and statistically rigorous foundation for comparative algorithmic research in mobile security analytics.
The performance comparison, as detailed in
Table 3, demonstrates that all six evaluated classifiers achieve highly robust and balanced results, with accuracy, precision, recall, and F1 scores consistently above 0.95. Random Forest yields the best performance (0.975 ± 0.003 F1-Score), closely followed by SVM (0.968 ± 0.003 F1-Score). The low standard deviations (σ < 0.006) across all models indicate stable performance under stratified 5-fold cross-validation, attributable to the balanced dataset (1:1 benign-to-malicious ratio) and macro-averaging protocol. Under these conditions, precision and recall naturally converge when false positive and false negative rates are symmetric, explaining the near-identical metric values observed across models.
The high performance of tree-based methods (Random Forest, Gradient Boosting, Decision Tree) along with linear (Logistic Regression) and instance-based (k-NN) approaches suggests that the underlying feature space possesses strong discriminative power and low noise levels. Moreover, consistent results across different algorithmic families highlight the inherent separability of the classes and the quality of the preprocessing steps (e.g., scaling, handling of missing values, hyperparameter tuning). This level of agreement between metrics further confirms that all models generalize reliably, with no single model suffering from overfitting or underfitting. Any of these classifiers could potentially support real-world pipelines, with Random Forest offering a marginal yet notable advantage for this specific dataset.
To contextualize the performance of the proposed Android malware detection approach, we conducted a comparative analysis against some studies in the literature.
Table 4 summarizes the key characteristics and evaluation metrics of five representative works, alongside the results obtained in this study. The selected studies were chosen based on their methodological relevance, use of publicly available datasets (e.g., CICMalDroid 2020, AndroZoo, Drebin), and reporting of standard classification metrics (Accuracy, Precision, Recall, F1-Score). It should be noted that direct numerical comparison across studies must be interpreted with caution, as differences in dataset composition, feature extraction pipelines, preprocessing strategies, and validation protocols may influence reported performance. Nevertheless, this synthesis provides a meaningful benchmark for assessing the relative effectiveness of the proposed Random Forest-based framework under a hybrid feature representation scheme.
As illustrated in
Table 4, the proposed approach achieves competitive performance relative to existing methods, attaining an F1-Score of 0.9752 on the AndroZoo dataset using a Random Forest classifier with a comprehensive hybrid feature set. Notably, the consistency across all evaluation metrics (Accuracy = Precision = Recall = F1) suggests balanced discriminative capability for both benign and malicious samples, mitigating potential biases toward the majority class. While Study [
80] reports a marginally lower F1-Score (0.9716) using XGBoost on the CICMalDroid 2020 dataset, direct comparison is constrained by differences in dataset scale, malware family distribution, and feature dimensionality. Studies relying solely on permission-based features [
83] exhibit comparatively lower performance (F1 = 0.9160), underscoring the added value of integrating multi-source static and dynamic indicators. Furthermore, the ensemble method in [
82], despite leveraging dimensionality reduction, does not surpass the proposed single-model framework, highlighting the efficacy of thoughtful feature engineering over algorithmic complexity alone. These observations collectively support the validity of our hybrid feature extraction strategy and reinforce the suitability of Random Forest for high-dimensional, heterogeneous Android malware detection tasks. Future work will focus on cross-dataset generalization testing and adversarial robustness evaluation to further strengthen practical deployability.
4.3. Transformers Models
This section focuses on our novel input representation and sequence-handling strategies tailored to Android static analysis. To address the strict token-length constraints of encoder architectures (typically 512 tokens), we introduce a constraint-aware multi-level filtering pipeline that dynamically selects the most information-dense feature subset per APK while preserving semantic interpretability. When sequences exceed the token limit, we employ chunking with mean/max pooling to capture distributed malicious patterns without arbitrary truncation. The following subsections detail the implementation and empirical performance of BERT, RoBERTa, and DistilBERT under this unified framework.
4.3.1. Multi-Level Feature Filtering and Constraint-Aware Sequence Selection
As stated before, each APK-level JSON feature file was transformed into a textual document suitable for BERT-based classification. Static-analysis attributes, including permissions, API calls, API packages, intents, activities, services, receivers, and system commands, were extracted. Each feature was serialized as a line of text using a predefined semantic prefix, such as PERMISSION, API_CALL, or INTENT, followed by the corresponding feature value. This representation preserves the categorical identity of each feature while enabling the model to process static-analysis data as natural-language-like sequences. The resulting text files constitute BERT-ready documents, where each Android application is represented as a sequence of static behavioral tokens for downstream malware classification.
Transformer-based language models such as BERT impose a strict upper bound on input sequence length (typically 512 tokens). This constraint poses a significant challenge when representing Android applications as textual sequences derived from static analysis features, since the number of extracted features can vary substantially across applications. To address this limitation, a multi-level feature filtering and sequence selection strategy was employed. Specifically, for each Android application, multiple textual representations were generated by applying different feature filtering thresholds (e.g., top-N features or frequency-based filtering). These representations correspond to varying levels of feature granularity, ranging from highly detailed (long sequences) to aggressively filtered (short sequences). Formally, let denote the set of candidate textual representations for application , where each is associated with a token length computed using the tokenizer of the pre-trained BERT model (specifically, bert-base-uncased). The objective is to select an optimal representation such that it maximizes the amount of retained information while satisfying the model’s input constraint. The selection strategy is defined as follows:
Among all candidate representations where
, the representation with the maximum token length is selected:
If no candidate representation satisfies the length constraint, the representation with the minimum token length exceeding 512 is selected:
This strategy ensures that, whenever possible, the selected sequence fully fits within the BERT input limit without requiring truncation, thereby preserving the maximum amount of semantic information. In cases where all candidate sequences exceed the limit, the shortest sequence is chosen to minimize the extent of truncation applied during tokenization. From a representation learning perspective, this approach can be interpreted as a constraint-aware feature selection mechanism, where the constraint is imposed not in the original feature space but in the tokenized sequence space. By leveraging multiple filtered views of the same application, the method effectively balances two competing objectives: (i) maximizing feature coverage (information richness) and (ii) adhering to model-specific input limitations. Furthermore, this preprocessing step introduces a form of input standardization, ensuring that all samples fed into the model are near the same upper bound of sequence length. This is particularly beneficial for training stability and computational efficiency, as it reduces variance in input sizes and minimizes excessive padding or truncation effects. The overall workflow of the proposed constraint-aware sequence selection mechanism is illustrated in
Figure 1.
All proposed architectures-namely, truncation-based models, chunking with mean pooling, and chunking with max pooling-are trained under a unified end-to-end fine-tuning framework, in which the parameters of pretrained transformer encoders such as BERT, RoBERTa, and DistilBERT are not kept fixed but are fully optimized for the downstream Android malware classification task. Formally, given an input sequence
, the tokenizer maps it into a sequence of token IDs, and the transformer encoder produces contextualized hidden representations
, where
denotes all trainable parameters of the encoder. A fixed-length representation is then obtained via a pooling operation over
(e.g., selecting the first token
or aggregating multiple chunk-level embeddings), and passed to a classification head
, typically a linear layer, yielding logits
, where
is the number of classes. The predicted class probabilities are obtained via the softmax function
, and model training minimizes the cross-entropy loss over the dataset
:
During optimization, gradients are computed with respect to both and , i.e., , and parameters are updated iteratively using stochastic gradient descent or its variants, ensuring , which distinguishes fine-tuning from frozen embedding approaches.
In the truncation-based setting, the input sequence is constrained such that
, i.e.,
, and all computations are performed on this truncated representation. While computationally efficient, this implicitly defines a projection
, potentially discarding informative suffix tokens. To overcome this limitation, chunking-based approaches decompose long sequences into
segments
, where each chunk
satisfies
(e.g.,
or
). Each chunk is independently encoded as
and a chunk-level representation is typically obtained using the first-token embedding
. These representations are then aggregated to form a document-level embedding
. In mean pooling, this aggregation is defined as
which corresponds to an unbiased estimator of the global representation under equal contribution assumptions. In contrast, max pooling is defined element-wise as
which emphasizes the most salient feature activations across all chunks, making it particularly suitable for capturing sparse but highly discriminative malicious patterns. The aggregated representation
is then passed to the classifier
to produce logits and compute the loss as defined above.
A critical aspect of the proposed framework is that the transformer parameters
are shared across all chunks and updated jointly during training. The gradient of the loss with respect to the encoder parameters accumulates contributions from all chunks:
which enables the model to simultaneously learn local dependencies within chunks and global semantic patterns across the entire document. This joint optimization allows the encoder to adapt its internal representations to the statistical properties of static-analysis-derived sequences, which differ significantly from natural language. As a result, the learned embeddings become task-specific, capturing both distributed behavioral signatures and localized anomalous indicators relevant to Android malware detection, thereby providing a substantial advantage over approaches that rely on frozen embeddings or simple truncation.
4.3.2. BERT
BERT serves as the foundational bidirectional encoder in our comparative framework. To effectively address the token-length limitation of BERT and the high dimensionality of static analysis features in Android malware detection, this study investigates multiple sequence representation strategies tailored to the structural characteristics of Android applications. Specifically, Android APKs are transformed into textual sequences composed of semantically labeled static features such as permissions, API calls, intents, and components, which often result in long and highly variable-length inputs. To handle this challenge, a constraint-aware multi-level feature filtering mechanism is employed to construct compact yet information-rich representations by prioritizing high-level behavioral indicators while reducing noise. In parallel, chunking-based aggregation strategies (mean and max pooling) are utilized to preserve long-range dependencies and capture malicious patterns distributed across different segments of the application. These approaches aim to balance behavioral feature coverage, semantic richness, and computational feasibility under the strict input constraints of transformer models. The comparative performance of these strategies is evaluated using standard classification metrics, as summarized in
Table 5.
4.3.3. RoBERTa
RoBERTa is an optimized variant of BERT that demonstrates improved performance through systematic refinement of pre-training methodology rather than architectural changes. To adapt RoBERTa to the Android malware detection task, the same input representation and sequence handling strategies described for BERT are employed to ensure a consistent experimental framework. Unlike BERT, however, RoBERTa benefits from an improved pre-training strategy, including dynamic masking and the removal of the NSP objective, which enables the model to learn more robust and generalized contextual representations. These improvements are particularly advantageous when modeling structured, non-natural language inputs derived from static analysis, where semantic patterns are often sparse and irregular.
As a result, RoBERTa is expected to capture more discriminative behavioral patterns across Android applications, leading to improved classification performance. The comparative results of RoBERTa under the proposed framework are presented in
Table 6.
4.3.4. DistilBERT
DistilBERT addresses the computational and memory demands of BERT through knowledge distillation, producing a smaller, faster model that retains most of the teacher model’s performance. The resulting model is ~40% smaller, 60% faster at inference, and retains ~97% of BERT’s language understanding capabilities on GLUE. DistilBERT demonstrates that careful distillation can significantly improve efficiency with minimal performance trade-off, facilitating deployment in resource-constrained environments while preserving the Transformer’s bidirectional contextual modeling strengths.
To evaluate the effectiveness of lightweight transformer architectures in Android malware detection, DistilBERT is incorporated into the same experimental framework as BERT and RoBERTa, ensuring a fair comparison across models. While the same input representations and sequence handling strategies are employed, DistilBERT’s reduced depth and parameter count introduce a trade-off between computational efficiency and representational capacity.
Despite its compact architecture, DistilBERT is expected to capture essential behavioral patterns embedded in static analysis features, particularly those related to high-level indicators such as permissions and API calls. However, due to its shallower structure, it may be less effective in modeling complex and long-range dependencies compared to full-sized transformer models. This limitation is especially relevant in Android malware detection, where malicious behavior can be distributed across multiple components and requires deeper contextual understanding.
Nevertheless, DistilBERT offers a significant advantage in terms of inference speed and resource efficiency, making it a practical alternative for real-world deployment scenarios with constrained computational resources. The classification performance of DistilBERT under the proposed framework is presented in
Table 7.
The comparative evaluation of BERT, RoBERTa, and DistilBERT under the proposed sequence representation strategies reveals a consistent and theoretically grounded performance pattern across all models. Among the examined approaches, the multi-level feature filtering mechanism achieves the highest performance, indicating that prioritizing semantically rich and behaviorally salient static features significantly enhances the discriminative capability of transformer-based models in Android malware detection. In contrast, chunking-based strategies, while effective in addressing input length constraints, exhibit slightly lower performance due to the inherent trade-off between segmentation and contextual continuity. Between the two aggregation methods, mean pooling consistently outperforms max pooling, suggesting that averaging contextual representations provides a more stable and comprehensive encoding of distributed malicious patterns, whereas max pooling may overlook subtle yet important signals by focusing only on dominant activations. Across model architectures, RoBERTa demonstrates the best overall performance, benefiting from its improved pre-training strategy and enhanced representation learning capacity. BERT follows closely, maintaining strong performance due to its bidirectional contextual modeling, while DistilBERT, despite its reduced complexity, achieves competitive results with a marginal decrease in accuracy, highlighting its suitability for resource-constrained environments. Overall, these findings confirm that both model architecture and input representation strategy play a critical role in optimizing malware detection performance, with feature-aware filtering emerging as the most effective approach.
In light of these findings, the synergistic effect of the proposed multi-level feature filtering mechanism and the RoBERTa architecture warrants further validation through comparative analysis with existing literature.
Table 8 presents a quantitative comparison of the performance metrics achieved in this study against prior works that leverage similar datasets and transformer-based models for Android malware detection. Notably, while earlier studies often rely on single-source feature representations-such as API calls, permissions, or opcode sequences alone-the approach introduced here integrates hybrid static features through a semantically aware filtering strategy, enabling more comprehensive pattern learning. This methodological advancement, combined with RoBERTa’s robust pre-training and contextual encoding capabilities, translates into consistently good performance across accuracy, precision, recall, and F1-score. The following table contextualizes these gains within the broader research landscape, highlighting how joint optimization of input representation and model architecture contributes to detection effectiveness.
Table 8 presents a comparative evaluation of transformer-based architectures for Android malware detection, situating the proposed multi-level feature filtering framework within the current methodological landscape. It is important to note that, given the substantial scale and heterogeneity of the AndroZoo repository, all cited studies-including this work-operate on representative subsets sampled according to study-specific criteria (e.g., temporal range, family distribution, or benign-to-malicious ratio), which inherently influences comparability and generalizability. Within this context, the results demonstrate that coupling hybrid static features with RoBERTa’s optimized pre-training paradigm yields consistently good and well-calibrated performance (Accuracy: 0.970, Precision: 0.971, Recall: 0.969, F1: 0.970). In contrast, baseline approaches exhibit structural and evaluative limitations: models constrained to homogeneous feature spaces (e.g., API-permission pairs [
51] or opcode sequences [
87]) display asymmetric precision-recall trade-offs and marginal F1 gains, while studies omitting complementary metrics [
85,
86] preclude rigorous assessment of classification robustness. Notably, the proposed methodology attains equilibrium across all evaluation dimensions using a systematically sampled AndroZoo subset, whereas competing frameworks require cross-dataset augmentation to reach comparatively lower performance thresholds. These findings substantiate that detection efficacy is not solely contingent upon model capacity or dataset volume but rather emerges from the synergistic alignment of semantically enriched input representations, architecturally expressive transformers, and methodologically sound sampling strategies. The proposed framework advances the current research frontier by demonstrating that targeted feature filtration, when integrated with robust contextual encoding and transparent data selection, effectively mitigates false-detection vulnerabilities and enhances generalizability in operational malware classification pipelines.
4.4. LLMs (Large Language Models)
This study employs four open-weight large language models-Mistral-7B, Gemma-2-27B, Qwen2.5-14B, and Qwen3.5-27B-selected to enable a controlled, multi-scale analysis of feature extraction efficacy in Android malware detection. The selection rationale is threefold: (i) architectural diversity, encompassing distinct attention mechanisms (e.g., Grouped-Query Attention in Mistral-7B, hybrid sparse-dense designs in Qwen3.5-27B) to assess how structural innovations influence semantic representation of static analysis artifacts; (ii) parameter-scale progression (7B → 14B → 27B), facilitating empirical investigation into scaling laws and diminishing returns in security-oriented feature grounding; and (iii) open-weight reproducibility, ensuring full transparency for academic validation and community replication. Critically, all experiments are conducted on an NVIDIA H100 80 GB GPU, whose high-bandwidth memory and native BF16/FP8 acceleration permit full-precision inference and parameter-efficient fine-tuning across all four models without aggressive quantization—thereby preserving architectural fidelity and isolating model-specific behaviors from hardware-induced artifacts. This configuration supports rigorous ablation studies on prompt design, embedding stability, and zero-shot generalization, while maintaining computational feasibility for iterative methodological refinement within the scope of Android security analysis.
4.4.1. Feature Extraction by Using LLMs
Prompt-based feature extraction leverages the generative capabilities of LLMs to directly derive structured or semi-structured features from raw text. In this paradigm, the model is guided by a natural language prompt
, which explicitly defines the feature extraction objective. This process can be formalized as:
where
represents the conditional generation function of the LLM, and
denotes the extracted feature set, typically expressed in structured formats such as JSON or labeled lists. This approach enables the extraction of interpretable and task-specific features, including key entities, semantic categories, or domain-specific indicators, without requiring task-specific fine-tuning. Additionally, it supports zero-shot and few-shot learning scenarios, thereby offering high adaptability across different domains.
In the context of Android malware and security analysis, prompt-based feature extraction can be operationalized through carefully designed instruction templates that enforce structured outputs and constrain the model’s reasoning space. For instance, a prompt that defines the model as an “Android security analysis assistant” and explicitly requires JSON-formatted outputs introduces a form of controlled feature generation, where the LLM not only extracts features but also categorizes them (e.g., permission, API, network) and justifies each indicator with evidence from the input data. This effectively transforms the LLM into a deterministic feature extractor conditioned on both the input (static analysis data) and a task-specific prompt .
Such a prompt can be interpreted as a structured mapping function:
where
encodes constraints such as output schema (JSON), feature taxonomy (indicator categories), and filtering rules (e.g., selecting the most significant 1–100 indicators). The inclusion of fields like explanation and evidence_source enhances interpretability, while pattern_correlations and finding_type enable higher-level relational reasoning across extracted features. Moreover, constraints on output length and format act as regularization mechanisms, reducing noise and enforcing consistency across samples.
![Applsci 16 05600 i001 Applsci 16 05600 i001]()
To ensure methodological rigor and analytical reliability, the prompt is explicitly designed within an unbiased and neutral framework, minimizing the risk of prompt-induced bias and avoiding any form of leading or suggestive language. The task definition does not presuppose whether the analyzed application is malicious or benign; instead, it focuses on the extraction of security indicators, which are treated as objective and descriptive features rather than evaluative judgments.
This unbiased structure is further reinforced by requiring each extracted indicator to be supported by an explicit evidence_source, ensuring that all outputs are directly grounded in the provided data rather than inferred through subjective reasoning. The use of predefined yet non-evaluative categories (e.g., permission, api, network, string, other) maintains consistency while avoiding semantic bias toward threat interpretation.
Additionally, the enforced JSON schema functions as a constraint mechanism that standardizes outputs and limits unnecessary generative freedom, thereby reducing the likelihood of speculative or exaggerated conclusions. The inclusion of fields such as pattern_correlations and finding_type allows for relational reasoning, while still preserving neutrality by permitting outcomes such as “none” or “isolated,” which reflect analytical uncertainty rather than forced interpretation.
Importantly, the prompt deliberately avoids any emotionally charged or bias-inducing terminology (e.g., “malicious,” “harmful,” or “suspicious”), thereby mitigating framing effects and ensuring that the model’s responses are driven by the input data rather than the wording of the instructions.
Overall, the prompt can be characterized as explicitly unbiased by design, as it prioritizes evidence-based extraction, structured output constraints, and neutral task framing, supporting objective and reproducible feature extraction in LLM-based Android security analysis.
The extracted security indicators collectively suggest a multi-faceted risk profile that is more significant when analyzed through their interrelationships rather than as isolated features. While certain permissions and API usages may appear benign in isolation, their co-occurrence and contextual alignment reveal patterns commonly associated with malicious behavior in Android applications.
In particular, the simultaneous presence of android.permission.SEND_SMS and the usage of android.telephony.SmsManager constitutes a well-established indicator of potential SMS-based abuse, such as unauthorized message transmission or premium-rate SMS fraud. This combination reflects the capability of the application to initiate outbound communication channels that may incur financial cost or propagate malicious activity without explicit user consent.
More critically, the string artifact/sdcard/downloadedfile.apk represents a strong semantic indicator of potentially malicious intent. Unlike generic API or permission-based signals, this string suggests explicit interaction with an external APK file located in user-accessible storage. From a security analysis perspective, such a reference is highly indicative of dynamic code loading or dropper behavior, where the primary application functions as an initial carrier that retrieves, stores, and potentially executes secondary payloads. This technique is widely documented in Android malware literature as a mechanism for evading static analysis and signature-based detection systems, as the malicious payload may not be embedded directly within the original application package.
The presence of android.permission.WRITE_EXTERNAL_STORAGE further reinforces this interpretation, as it provides the necessary capability to write arbitrary files—such as secondary APKs—to external storage locations. When considered alongside the aforementioned string indicator, this permission supports a plausible execution chain involving payload download and deployment. Similarly, android.permission.READ_PHONE_STATE introduces additional concerns related to device fingerprinting and user tracking, as access to telephony identifiers (e.g., IMEI) is frequently leveraged in botnet coordination, targeted attacks, or fraud schemes.
Although certain indicators, such as java.io.PrintWriter.println, may not independently signify malicious intent, they can contribute to suspicious behavior when analyzed in context, particularly in scenarios involving logging of sensitive information or covert data exfiltration. Conversely, elements such as android.intent.category.LAUNCHER are generally considered benign and do not contribute meaningfully to the maliciousness assessment when evaluated in isolation.
From a holistic perspective, the observed pattern reflects a composite threat model characterized by the convergence of communication abuse (SMS capabilities), external storage manipulation, and potential secondary payload execution. This aligns with known behavioral signatures of Android malware families that employ staged execution strategies to enhance stealth and persistence.
The integration of permission-level, API-level, and string-level indicators-particularly the presence of an external APK reference-provides strong evidence of coordinated malicious functionality, with specific emphasis on SMS exploitation and dropper-like mechanisms. Such multi-dimensional feature interactions underscore the importance of contextual and relational analysis in LLM-based feature-extraction frameworks for mobile security.
4.4.2. Detection with Zero-Shot
Zero-shot detection in the context of Android malware analysis refers to the capability of a large language model (LLM) to perform binary classification without any task-specific fine-tuning. Instead of relying on supervised training over labeled datasets, the model is guided exclusively through a carefully designed prompt that defines the task, constraints, and expected output format.
In this paradigm, the classification process can be formalized as a conditional inference problem:
where
represents the static analysis JSON of the Android application,
denotes the detection-oriented prompt, and
is the predicted class label. Unlike embedding-based or fine-tuned approaches, the model directly maps input data and task instructions to a discrete decision through its pre-trained knowledge.
The prompt used in this study is explicitly designed to enforce a strict binary classification behavior under controlled inference constraints. The full prompt is provided below to ensure reproducibility and methodological transparency.
This prompt structure enforces a binary decision boundary while constraining the model’s reasoning process. The instruction that no single feature should dominate the decision encourages holistic analysis, aligning with established malware-detection principles where behavioral patterns emerge from the interaction of multiple indicators.
Furthermore, the strict output constraint—requiring only a single uppercase label without explanation-serves to standardize responses and eliminate unnecessary generative variability. This transforms the LLM into a deterministic classifier at the interface level, facilitating automated evaluation and comparison across models.
To assess the robustness and generalizability of this zero-shot framework, experiments were conducted using multiple LLMs, including Mistral-7B, Gemma-2-27B, Qwen2.5-14B, and Qwen3.5-27B. These models were evaluated under identical prompting conditions, allowing for a fair comparison of their zero-shot detection capabilities. The quantitative results obtained from these experiments are presented in the table below, providing a comparative overview of model performance across standard evaluation metrics.
The results, as detailed in
Table 9, indicate a clear performance trend, where larger models achieve higher accuracy and F1 scores in the zero-shot setting. In particular, Qwen3.5-27B outperforms other models, suggesting a stronger capability to capture complex behavioral patterns from static analysis data. However, the overall performance remains within a moderate range, highlighting the limitations of zero-shot approaches for domain-specific tasks such as Android malware detection. These findings suggest that while zero-shot inference provides a practical baseline, further improvements may require fine-tuning or hybrid methods.
4.4.3. LLM-Based Feature Extract and BERT, DistilBERT, and RoBERTa Fine Tuning
To establish a robust baseline and investigate the transferability of LLM-extracted semantic features to more compact, encoder-only architectures, we fine-tune a suite of pre-trained BERT-family models—namely BERT-base, DistilBERT, and RoBERTa-base—using the structured security indicators generated in
Section 4.5.1. This experimental design serves two complementary objectives: first, to assess whether the rich, prompt-derived representations produced by large generative models can effectively distill task-relevant signal for smaller, more deployment-friendly classifiers; and second, to provide a controlled comparison against end-to-end LLM fine-tuning, isolating the contribution of feature extraction quality from model capacity. Input sequences for these models are constructed by serializing the LLM-extracted indicators into a concise natural-language format, preserving categorical labels and relational annotations while adhering to a fixed tokenization limit to ensure computational consistency. Each model is augmented with a task-specific classification head and fine-tuned using standard cross-entropy optimization, with stratified cross-validation employed to ensure reliable performance estimation. BERT-base provides a well-established reference point with bidirectional contextual encoding; DistilBERT offers a streamlined alternative with reduced parameter count and inference latency, enabling evaluation of efficiency-accuracy trade-offs; and RoBERTa-base, trained with optimized data sampling and dynamic masking, serves to probe the sensitivity of downstream performance to pre-training methodology. All models are initialized from publicly available checkpoints and adapted using a consistent training protocol that prioritizes reproducibility and methodological transparency. By leveraging the same LLM-enriched feature space across architectures of varying scale and design, this study clarifies the extent to which detection gains arise from the quality of input representations versus the expressive capacity of the classifier itself.
Table 10 demonstrates that the effectiveness of transformer-based Android malware detection models is substantially influenced by the semantic quality of features extracted by large language models. Among the evaluated feature extraction models, Qwen3.5-27B consistently achieved the highest performance across all transformer backbones, indicating that larger and more advanced LLMs can generate more informative and discriminative security-oriented representations from static analysis data. In particular, the combination of Qwen3.5-27B and RoBERTa produced the best overall results, achieving 0.957 Accuracy and 0.957 F1-score.
The results further show that RoBERTa consistently outperformed BERT and DistilBERT regardless of the selected LLM, suggesting that its enhanced contextual representation capability provides good classification performance for malware detection tasks. Although DistilBERT yielded slightly lower scores, its results remained competitive, highlighting its efficiency-performance tradeoff.
Contrary to the assumption that LLM-derived features universally enhance detection, our results indicate that the LLM-feature extraction pipeline followed by Transformer fine-tuning (e.g., Qwen3.5-27B+RoBERTa: 0.957 F1) underperforms both direct RoBERTa fine-tuning on raw static features (0.970 F1,
Table 6) and the Random Forest baseline (0.975 F1,
Table 3). This suggests that the intermediate LLM extraction step introduces information compression or redundancy that is not fully recovered by encoder-only architectures. Therefore, LLM-extracted features should not be assumed to generally improve detection; their utility must be explicitly benchmarked against strong, directly fine-tuned baselines and justified by downstream interpretability or forensic requirements rather than raw accuracy gains alone.
4.4.4. LLM-Based Feature Extraction and LLM Fine-Tuning
To bridge the gap between general-purpose pre-trained representations and the domain-specific requirements of Android malware detection, we implement a parameter-efficient fine-tuning framework that adapts the base large language models using the structured security indicators extracted in the preceding phase. Rather than updating all model parameters, which is computationally prohibitive for architectures of this scale, we employ Low-Rank Adaptation (LoRA), a technique grounded in the observation that task-specific weight updates exhibit low intrinsic dimensionality. Formally, for each pre-trained weight matrix , the adaptation is expressed as , where with and , and . During optimization, the original parameters remain frozen while only the low-rank matrices are updated, substantially reducing the number of trainable weights while preserving the model’s foundational linguistic and reasoning capabilities. This formulation enables efficient domain adaptation without incurring the memory overhead or catastrophic forgetting risks associated with full-model retraining, and it maintains inference latency characteristics identical to the base architecture.
Input sequences for training are constructed directly from the LLM-generated security indicators, preserving their natural-language structure while adhering to a fixed tokenization limit to maintain computational consistency across samples. The dataset is partitioned using stratified cross-validation to ensure representative class distribution across training and validation splits, thereby providing a robust estimate of generalization performance. To mitigate hardware constraints during optimization, the models are initialized with mixed-precision arithmetic and dynamic weight quantization, which compresses the parameter footprint while preserving gradient fidelity during backpropagation. Gradient checkpointing is applied to trade computational steps for memory allocation, enabling stable training on a single high-performance GPU. The training objective minimizes a cross-entropy loss over the binary classification space, with optimization governed by an adaptive momentum-based solver, an initial warmup phase to stabilize early gradients, and a decaying learning rate schedule to refine convergence. Evaluation is conducted at regular intervals, and the checkpoint exhibiting the lowest validation loss is retained to prevent overfitting to the training distribution. During inference, class probabilities are derived from the final-layer logits and mapped to discrete predictions via a fixed decision threshold, ensuring methodological consistency with the zero-shot baseline. Performance is assessed using standard classification metrics that collectively capture the model’s ability to generalize across diverse application families while maintaining balanced precision and recall. By combining semantically enriched feature conditioning with rank-constrained parameter adaptation, this pipeline enables reproducible, resource-efficient fine-tuning that isolates the contribution of structured security indicators to downstream detection performance.
For large-scale generative transformer models, parameter-efficient fine-tuning was performed using the Low-Rank Adaptation (LoRA) framework within the PEFT paradigm. In particular, Qwen3.5-27B was adapted using the native Qwen tokenizer with a maximum sequence length of 4096 tokens. LoRA adapters were applied to both attention and feed-forward projection layers, including q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, and down_proj. The LoRA rank was set to r = 16 with α = 32 and a dropout rate of 0.05. Optimization was performed using AdamW with a learning rate of 2 × 10−5, cosine learning rate scheduling, a warm-up ratio of 0.03, and weight decay of 0.01. Fine-tuning was conducted for three epochs using mixed-precision bfloat16 training on an NVIDIA H100 GPU under a Linux/Debian environment. Due to the large parameter scale of the model, 4-bit NF4 quantization was employed where necessary to reduce memory overhead while preserving adaptation capability. A per-device batch size of 1 with gradient accumulation over 16 steps was used, yielding an effective batch size of 16. All experiments were executed under the same stratified 5-fold cross-validation protocol with a fixed random seed of 42 to ensure reproducibility and methodological consistency across model families.
Ensure deterministic and reproducible inference across evaluation folds, decoding parameters were configured as follows: temperature = 0.1, top-p = 0.9, and greedy token selection. This low-temperature, nucleus-sampling configuration minimizes stochastic variability in generated outputs while preserving semantic fidelity, thereby enabling fair comparative evaluation across LLM architectures and facilitating consistent feature extraction for downstream classification.
Following the training protocol described above, we evaluate the fine-tuned models on the held-out validation folds to assess their discriminative performance in Android malware detection. The experimental results for all four architectures—Mistral-7B, Gemma-2-27B, Qwen2.5-14B, and Qwen3.5-27B—are summarized in
Table 11, reporting accuracy, precision, recall, and F1-score.
The experimental results presented in
Table 11 demonstrate a clear relationship between model capacity and classification performance within the proposed fine-tuning framework. In particular, larger-scale architectures consistently outperform smaller models, indicating that increased parameterization enhances the ability to capture and utilize semantically rich security indicators derived from LLM-based feature extraction. Among the evaluated models, Qwen3.5-27B achieves the highest performance across all metrics, reaching an accuracy of 0.982 ± 0.005 and an F1-score of 0.982 ± 0.005. This result suggests that high-capacity models are more effective at modeling complex behavioral patterns embedded in structured natural-language representations of Android applications.
Mid-scale models, such as Gemma-2-27B and Qwen2.5-14B, also demonstrate strong and balanced performance, offering a favorable trade-off between computational efficiency and predictive accuracy. Notably, the relatively high recall achieved by Gemma-2-27B indicates an increased sensitivity to malicious patterns, which is particularly valuable in security-critical applications where minimizing false negatives is essential. In contrast, the comparatively lower performance of Mistral-7B highlights the limitations of smaller models in representing complex, high-dimensional feature spaces, despite benefiting from the same fine-tuning strategy.
Another important observation is the close alignment between precision and recall values across all models. This balance indicates that the proposed approach does not disproportionately favor either class, thereby achieving stable and consistent decision boundaries. Such behavior is especially desirable in malware detection tasks, where both false positives and false negatives carry significant operational implications.
To contextualize the proposed methodology within the current state of the art, we present a comparative evaluation of recent LLM-augmented Android malware detection frameworks.
Table 12 summarizes the dataset configurations, model architectures, feature representations, and classification performance of these approaches, providing a direct benchmark against the proposed framework.
As illustrated in
Table 12, the integration of LLM-driven feature extraction with advanced language models consistently enhances detection performance across multiple benchmarks. While prior studies employing Mutual Information with Mistral 7 [
46], CFG-based representations with GPT-4o-mini [
59], and GPT-4 combined with an MLP classifier [
58] achieve respectable F1-scores ranging from 0.90 to 0.97, their performance remains constrained by partial feature utilization or less optimized architectural pipelines. In contrast, the proposed framework leverages a comprehensive hybrid feature representation—encompassing permissions, API calls, strings, URLs, and hardware/software feature declarations—processed through an LLM-based extraction module and classified via Qwen3.5. This holistic approach yields an accuracy of 0.982 ± 0.005 and balanced precision of 0.983 ± 0.005, recall of 0.982 ± 0.007, and F1-scores of 0.982 ± 0.005, indicating good generalization, minimized false-positive rates, and robust handling of feature heterogeneity. The results underscore the efficacy of unified feature fusion coupled with LLMs for next-generation Android malware detection. Future work will investigate real-time inference optimization, cross-dataset transferability, and adversarial robustness to validate the framework under dynamic, production-grade deployment conditions.
4.4.5. Computational Cost, Resource Utilization, and Deployment Considerations
All latency, memory, and training metrics were evaluated on a dedicated workstation with an Intel Xeon CPU and NVIDIA H100 80 GB GPU running Debian Linux. Inference latency was measured as end-to-end processing time per APK (feature extraction, tokenization, forward pass, output parsing), averaged over 100 independent runs. Peak GPU memory was recorded via PyTorch/CUDA profiling at maximum VRAM allocation during a single forward pass. Training time reflects total GPU-hours per model, computed from wall-clock duration scaled to single-GPU equivalents. Precision mode was standardized to mixed-precision bfloat16 (BF16) for Transformer/LLM training, with 4-bit NF4 quantization applied selectively to frozen base weights during large-scale LLM fine-tuning to manage memory constraints. Classical ML baselines were evaluated on a separate CPU-only pipeline (Intel Core i5, 40 GB RAM, Windows 11).
While the proposed LLM-driven framework demonstrates good detection performance, practical deployment in real-world Android security pipelines necessitates a careful assessment of computational overhead and inference latency. To this end, we conducted a systematic evaluation of resource consumption across all evaluated models under identical hardware conditions (NVIDIA H100 80 GB GPU).
Inference Latency. We measured the average end-to-end inference time per APK sample, encompassing feature extraction, tokenization, model forward pass, and output parsing. As summarized in
Table 13, classical ML models (e.g., Random Forest) achieve sub-millisecond latency, making them suitable for high-throughput, real-time screening. Distilled Transformers (DistilBERT) operate in the ~15–25 ms range, offering a favorable balance for near-real-time deployment. In contrast, zero-shot LLM inference exhibits significantly higher latency: Mistral-7B requires ~1.2 s/sample, while Qwen3.5-27B averages ~4.8 s/sample due to its larger parameter count and longer context window. Fine-tuned LLMs with LoRA show marginal latency reduction (~10–15%) compared to zero-shot inference, as the adaptation layers introduce negligible overhead during inference.
Memory and Hardware Requirements. Peak GPU memory consumption during inference scales with model size: DistilBERT (~300 MB), RoBERTa (~500 MB), Mistral-7B (~14 GB), and Qwen3.5-27B (~52 GB).
Practical Recommendations. Based on these findings, we advocate a tiered deployment strategy:
First-tier screening: Use lightweight models (Random Forest or DistilBERT) for bulk scanning of app stores or CI/CD pipelines, where latency and cost are critical.
Second-tier deep analysis: Reserve fine-tuned LLMs (e.g., Qwen3.5-27B+LoRA) for forensic investigation of high-risk samples flagged by the first tier, where interpretability and high recall justify the computational cost.
Edge deployment: For on-device or resource-constrained environments, quantized DistilBERT or classical ML models remain the only viable options; LLMs should be accessed via API only when necessary.
This hybrid architecture aligns detection capability with operational constraints, ensuring scalability without sacrificing the advanced reasoning benefits of generative models for critical cases.
While the Qwen3.5-27B+LoRA configuration achieves the highest reported F1-score (0.982 ± 0.005), this performance gain is accompanied by substantial computational overhead. As quantified in
Table 13, the model requires ~52 GB of peak GPU memory, averages 4.15 s of inference latency per APK, and demands ~48 GPU-hours for fine-tuning. Consequently, the accuracy advantage of direct LLM fine-tuning must be weighed against operational constraints. We therefore position Qwen3.5-27B+LoRA as a high-capacity, high-cost option best reserved for secondary forensic investigation or explainable threat intelligence workflows, rather than as a default replacement for lightweight screening models.
4.4.6. Quantitative Analysis of LLM Hallucination and Explanation Reliability
While the LLM-driven pipeline demonstrates superior detection performance and interpretability, the phenomenon of “hallucination”-where the model generates plausible but factually unsupported claims-remains a critical concern for security applications. To empirically assess this risk, we conducted a systematic analysis of hallucination rates and their impact on classification decisions.
Definition and Annotation Protocol
We define a hallucination in this context as any extracted security indicator or explanation that satisfies one of the following criteria: (i) factual inconsistency, where the generated indicator references a feature (e.g., permission, API call, string, or component) not present in the input static analysis JSON; (ii) unsupported inference, where the explanation attributes malicious significance to a benign or ambiguous feature without clear supporting evidence from the broader extracted feature context; and (iii) contradictory reasoning, where the model’s justification conflicts with the final classification output. To evaluate hallucination behavior, a stratified subset of 200 APKs (100 benign and 100 malicious) was randomly selected from the evaluation set. We, as two authors with expertise in Android malware analysis, independently reviewed the generated explanations and labeled hallucinated indicators according to the criteria above. Inter-annotator agreement was assessed using Cohen’s κ, yielding κ = 0.81, indicating strong agreement. Disagreements were resolved through discussion to produce the final annotation set. To estimate downstream impact, hallucinated indicators identified in the manually reviewed subset were removed from the structured feature representation before downstream evaluation, while keeping the classifier parameters unchanged. The resulting performance difference was used as an approximate estimate of hallucination-induced degradation.
Results: Hallucination Rates and Impact
Table 14 summarizes the hallucination analysis results. Across the 200 manually reviewed APKs, a total of 983 extracted indicators were assessed for explanation fidelity. Overall, 76 indicators (7.7%) contained at least one hallucination type. Factual inconsistencies were the most common (4.5%), typically involving the generation of API calls not present in the observed feature set. Unsupported inferences accounted for 2.7%, often when the model over-interpreted generic permissions (e.g., INTERNET) as potentially indicative of malicious behavior without clear supporting evidence from the extracted feature context. Contradictory reasoning was relatively rare (0.5%), suggesting that inconsistencies between generated explanations and classification outputs were uncommon.
Critically, hallucinations had a measurable but limited impact on detection performance. In the ablation analysis conducted on the manually reviewed subset, removing hallucinated indicators improved the F1-score from 0.969 to 0.975, indicating that hallucination-induced noise introduces some degradation but has a measurable but limited effect on downstream classification robustness. This resilience likely stems from the multi-indicator nature of the feature extraction pipeline, where malicious behavior is inferred from multiple corroborating signals rather than isolated extracted features.
Mitigation Strategies and Practical Guidance
Although hallucinations remain an inherent limitation of generative models, several practical mitigation strategies can reduce their impact in security-oriented deployments. First, evidence grounding can be strengthened by requiring each extracted indicator to explicitly reference its originating evidence within the input feature set. Second, post-generation consistency verification can be applied by cross-checking generated indicators against the original static analysis output to detect factual inconsistencies. Third, lightweight rule-based validation mechanisms, such as permission-API consistency checks, may help identify unsupported inferences before downstream classification. Overall, these findings suggest that hallucination-related errors in the proposed framework remain manageable, particularly when combined with structured prompting and post-processing safeguards, while preserving the interpretability advantages of LLM-assisted feature extraction.