Machine learning models for Android malware detection are vulnerable to adversarial examples in the feature space. Method: This paper proposes a multi-step decoupled classification architecture comprising a heterogeneous deep neural network cascade. It introduces a representation decoupling mechanism—maximizing inter-layer representation divergence to enhance model unpredictability—and integrates metaheuristic-driven dynamic path activation with joint adversarial training and representation learning. Contribution/Results: To our knowledge, this is the first work embedding representation decoupling into a sequential classification framework, effectively mitigating iterative evasion attacks. Evaluated on the 2025 IEEE SaTML Competition, our approach achieved first place: it improves robustness against adversarial attacks by 266% over the second-place method, attains the highest non-adversarial malware detection rate, and maintains a false positive rate below 1%.

Over the last decade, machine learning has been extensively applied to identify malicious Android applications. However, such approaches remain vulnerable against adversarial examples, i.e., examples that are subtly manipulated to fool a machine learning model into making incorrect predictions. This research presents DeepTrust, a novel metaheuristic that arranges flexible classifiers, like deep neural networks, into an ordered sequence where the final decision is made by a single internal model based on conditions activated in cascade. In the Robust Android Malware Detection competition at the 2025 IEEE Conference SaTML, DeepTrust secured the first place and achieved state-of-the-art results, outperforming the next-best competitor by up to 266% under feature-space evasion attacks. This is accomplished while maintaining the highest detection rate on non-adversarial malware and a false positive rate below 1%. The method's efficacy stems from maximizing the divergence of the learned representations among the internal models. By using classifiers inducing fundamentally dissimilar embeddings of the data, the decision space becomes unpredictable for an attacker. This frustrates the iterative perturbation process inherent to evasion attacks, enhancing system robustness without compromising accuracy on clean examples.