A deep learning-based IoT malware detection approach for electric vehicle charging stations

Why your car charger’s safety matters

Electric vehicles increasingly plug into smart charging stations packed with tiny internet‑connected gadgets. These devices make charging faster and more efficient, but they also open new doors for hackers. Malware that sneaks into a single sensor or controller can ripple outward, threatening power grids, personal data, and the availability of charging itself. This paper introduces a new way to spot such hidden malicious software before it ever reaches the devices inside an electric vehicle (EV) charging station.

Hidden risks inside smart chargers

Modern EV charging stations rely on an ecosystem of Internet of Things (IoT) devices—smart meters, temperature sensors, relays, and controllers—that constantly talk to the cloud and to each other. If attackers plant malware on any of these components, they can intercept or alter data, steal payment information, or even manipulate charging loads to destabilize the local grid. Real incidents in the power sector show that compromised industrial devices can disconnect turbines or jeopardize nuclear facilities. As charging networks expand, detecting malware in the software that runs on these varied devices has become a critical line of defense.

Why current defenses fall short

Many existing IoT malware detectors look only at one type of device processor, such as ARM or MIPS, even though real charging networks use a mix of hardware. Other methods rely on a narrow slice of information, such as a quick visual snapshot of a program or a simple count of instructions. Some systems try to combine several clues but do so in a crude way—just gluing features together without understanding how they relate or which ones matter most for a given sample. As a result, they may miss subtle attack patterns or fail when confronted with new device types or malware families.

Looking at malware from three angles

The authors propose a static detection approach, meaning it inspects software files before they are installed on any device. First, they send code compiled for different processor types through a government‑developed tool called Ghidra, which translates everything into a shared “intermediate” language. This step strips away hardware quirks while preserving the logic of what the program does, allowing the same analysis pipeline to handle files from ARM, x86, MIPS, and other architectures. From each file, the system then extracts three complementary views: a global shape view, a statistical view, and a behavioral view.

In the global shape view, the raw binary file is treated like a long stream of numbers and converted into a grayscale image, where each pixel represents a fragment of code. A convolutional neural network scans this image for recurring textures and layouts that differ between benign software and malware families. In the statistical view, the translated instructions are broken into short sequences whose frequencies are measured using a method borrowed from text search. A simple neural network examines these frequency patterns to capture which instruction fragments are unusually common in malicious programs. In the behavioral view, repeated or uninformative instruction patterns are pruned away, and a recurrent network (LSTM) reads the remaining instruction sequence like a sentence, learning how operations follow one another in time and revealing deeper malicious logic.

Blending clues with focused attention

Rather than simply stacking these three feature sets side by side, the authors design a fusion model that actively weighs and refines them. A multi‑head attention mechanism, inspired by recent advances in language models, learns which feature stream carries the most telling evidence for each software sample, adjusting their influence on the fly. A one‑dimensional convolution layer then searches the fused representation for short but important patterns, while a multi‑layer encoder repeatedly mixes and reshapes the information to expose subtle relationships between structural, statistical, and behavioral clues. The final output is a single score indicating whether the software is likely benign or malicious, and which malware family it belongs to.

How well the new method works

To test their system, the researchers assemble a large public dataset of IoT programs drawn from two widely used malware repositories, covering five major processor types common in EV infrastructure. They compare many settings and feature combinations, showing that each of the three views adds unique value—dropping any one of them noticeably hurts performance. Their full three‑view, attention‑based fusion model outperforms several state‑of‑the‑art approaches, including image‑only and graph‑based systems. Across all architectures, the new method improves a key balanced accuracy measure (the F1 score) by about 1.37 percentage points and reduces the rate at which benign software is misclassified as malware.

What this means for everyday charging

For drivers, the work suggests a future in which the software running behind the scenes at charging stations undergoes far more rigorous screening. By examining code from multiple angles and across different hardware platforms, the proposed system can catch a wider range of threats before they reach IoT devices connected to the grid. Although the current method focuses on static files and may struggle with heavily obfuscated or encrypted malware, it already offers utilities and charging‑network operators a powerful centralized tool to keep the digital side of EV charging as reliable as the cables and transformers we see on the street.

Citation: Xia, L., Chen, Y. & Han, L. A deep learning-based IoT malware detection approach for electric vehicle charging stations. Sci Rep 16, 10607 (2026). https://doi.org/10.1038/s41598-026-45220-x

Keywords: IoT malware, electric vehicle charging, cybersecurity, deep learning detection, smart grid security