Conclusion

Across all six SHAP plots and six LIME plots, the explanations consistently highlight the same behavior and API use blocks:

Network volume + socket usage

DB reads/writes and queries

IPC/Binder (services, receivers, activities, Parcels)

PII and telephony IDs

Dynamic Dex loading

While both shapley and LIME interpretations support this; the evidence from the shapley values is much stronger. They are not only more stable but they show a clear even contribution amongst several API’s from one of the above blocks. This shows the overall effect the group has- an interpreation that is lost with the instability and reshuffling of LIME.

Zero-Day malware are undeniably harder to classify but clustering techniques like t-SNE or building more sophisticated embeddings with something like BERT might be interesting to use for malware forensics and aprehending hackers.