“…However, most existing AMDs only extract single and simple information for behavioral modeling [12], [4], [5], [13] (e.g., API sequence, Android APIs, graph), which makes malware able to evade them [14], [15], [16]; • C2: Time Dependency: Time dependency represents the execution logic of code and contains semantic and structural information (i.e., control flow, data flow, and invocation relationship) [17], [3], [18]. Capturing time dependency is necessary since malicious components may be some small parts of malware apps (e.g., 2%) [19] and distributed separately in them [17]. Most existing AMDs [20], [7], [21], [22], [4], [5] neglect it or consider parts of it, allowing malware to evade detection with specific modifications [17], [16]; and • C3: Fine-granularity Malicious Component Detection: Existing few malicious code fragment detection systems [23], [24], [12] can locate malicious code at class or method level.…”