Android malware threats have expanded significantly in recent years and now endanger user privacy and device security across billions of devices worldwide. Traditional supervised detection methods excel when substantial training data exists but encounter major difficulties in scenarios with limited labeled samples. These approaches fail to generalize in few-shot environments and suffer from both overfitting and underfitting problems. To this end, we present MARS, a novel framework that bridges the knowledge gap between general-purpose language models and domain-specific security expertise for effective malware detection. MARS integrates Core-set optimization with Retrieval-Augmented Generation (RAG)-enhanced large language model inference to address the challenges of malware classification in limited-data scenarios. Our approach implements a three-stage process: it applies Core-set selection to extract representative samples from each malware family, encodes security expert-defined feature-label associations into a structured rule repository, and employs Chain-of-Thought reasoning to interpret malicious behaviors while constraining outputs to align with expert knowledge. When evaluated on benchmark datasets, MARS demonstrates substantial performance improvements over traditional approaches and offers a promising solution to the persistent challenge of malware detection with limited training data. The main source code is publicly available at https://anonymous.4open.science/r/Mars-CDB9.