HHGDroid: Hybrid heterogeneous graph-based android malware detection via multi-evidence similarity fusion

Explainable android malware detection and malicious code localization using graph attention

Semantic characterization of android malware through runtime system call analysis

Dapadv: Differentiated adversarial perturbation generation method in problem space for android malware detection

Android malware detection by using graph optimization of static features based on pre-trained language models

The rapid evolution of Artificial Intelligence of Things (AIoT) is accelerating the development of smart societies, where interconnected consumer electronics such as smartphones, IoT devices, smart meters, and surveillance systems play a crucial role in optimizing operational efficiency and service delivery. However, this hyper-connected digital ecosystem is increasingly vulnerable to sophisticated Android malware attacks that exploit system weaknesses, disrupt services, and compromise data privacy and integrity. These malware variants leverage advanced evasion techniques, including permission abuse, dynamic runtime manipulation, and memory-based obfuscation, rendering traditional detection methods ineffective. The key challenges in securing AIoT-driven smart societies include managing high-dimensional feature spaces, detecting dynamically evolving malware behaviours, and ensuring real-time classification performance. To address these issues, this paper proposed an AI-powered Android Malware Detection (AIMD) framework designed for AIoT-enabled smart society environments. The framework extracts multi-level features (permissions, intents, API calls, and obfuscated memory patterns) from Android APK files and employs graph embedding techniques (DeepWalk and Node2Vec) for dimensionality reduction. Feature selection is optimized using the Red Deer Algorithm (RDA), a metaheuristic approach, while classification is performed through an ensemble of machine learning models (Support Vector Machine, Decision Tree, Random Forest, Extra Trees) enhanced by bagging, boosting, stacking, and soft voting techniques. Experimental evaluations on CICInvesAndMal2019 and CICMalMem2022 datasets demonstrate the effectiveness of the proposed system, achieving malware detection accuracies of 98.78% and 99.99%, respectively. By integrating AI-driven malware detection into AIoT infrastructures, this research advances cybersecurity resilience, safeguarding smart societies against emerging threats in an increasingly connected world.

Cybercriminals have become increasingly interested in the spread of critical information, particularly in interpersonal contact and mass distribution of programs and file downloads. This has heightened researchers' awareness of the rampant spread of malware and data breaches. It is anticipated that the number and intensity of malicious software will continue to rise, underscoring the imperative need for strong security architectures. This is especially critical for mobile networks and ubiquitous computing security, given the growing threat posed by hackers. The proposed project involves creating a new dataset using a strictly controlled, shared sample pool to address security threats in wireless mobile networks, leveraging dynamic analysis techniques for malware detection. The dataset aims to enhance the recognition of malicious software by leveraging methods such as encryption and obfuscation. The suggested classification algorithm is CNN-LSTM, a combination of Convolutional Neural Networks (CNNs) and the Long Short-Term Memory (LSTM) model, which excels at learning complex, sequential features. The CNN and LSTM models were tested on a dataset comprising more than 10,000 malware samples and achieved accuracies of 98% and 97%, respectively. These findings demonstrate how deep learning models can be used to enhance the security of mobile networks and provide effective protection against emerging threats in mobile and ubiquitous computing systems, in a highly beneficial way.

Android malware detection systems face critical challenges including data scarcity for emerging threat families, high-dimensional feature spaces, and concept drift caused by evolving attack techniques. Traditional machine learning approaches require extensive labeled datasets and frequent retraining, limiting their practical deployment against rapidly emerging threats. This paper proposes an adaptive few-shot malware classification framework that integrates CatBoost-based feature selection, prototypical networks with episodic meta-learning, quantum-enhanced classification, concept drift detection, and explainable AI (XAI) analysis using SHAP and LIME. The CatBoost feature selection reduces dimensionality by 99.46% on CCCS-CIC-AndMal-2020 (9,503 to 51 features) and 94.07% on KronoDroid (489 to 29 features) while preserving discriminative information. The prototypical network learns metric-based representations enabling classification with only 5 support samples per class. Extensive experiments demonstrate state-of-the-art performance with 99.70% accuracy on CCCS-CIC-AndMal-2020 (15 malware families) and 99.33% accuracy on KronoDroid (binary classification), outperforming existing methods by 0.70-9.70%. The framework exhibits robust temporal stability with maximum accuracy degradation of 0.24% across evaluation periods. XAI analysis reveals that file descriptor manipulation and file system operations are the most discriminative features for malware detection. These results establish few-shot prototypical learning with intelligent feature selection as an effective paradigm for practical malware detection requiring minimal annotation, interpretable decisions, and stable long-term performance.

Abstract Due to the continuous evolution of Android malware, machine learning-based malware detection systems face the challenge of performance degradation. To address this issue, active learning has been employed to retrain models with new labeled data. Traditionally, active learning relies on ground-truth labels, which are time-consuming to obtain. Although leveraging model-predicted pseudo-labels for model retraining offers a cost-effective alternative, incorrect pseudo-labels may lead to model self-contamination. To alleviate the annotation overhead during model retraining and mitigate the detrimental effects of erroneous pseudo-labels on active learning performance, we introduce a novel framework, PLCDroid. The framework incorporates a label correction mechanism when using pseudo-labels for model retraining. Specifically, we present a pseudo-label type recognition method (PTR) based on model uncertainty and confidence to identify incorrect pseudo-labels. On the basis of PTR, we design fine-grained correction strategies to refine pseudo-labels. Consequently, the proposed method mitigates pseudo-label errors, thereby improving malware detection performance under concept drift. Experimental results over a decade-long period demonstrate the effectiveness of our approach. In the retraining task, leveraging corrected pseudo-labels leads to a substantial performance gain. Specifically, the false negative rate decreases from 76.0% to 47.6% on average, corresponding to an improvement of 37.4% compared to the related pseudo label-based active learning method MORPH.

The existing research on Android malware detection using graph neural networks (GNNs) has largely focused on architectural improvements, while input node feature representations have received less systematic attention. This study adopts a representation-centric approach to enhance function call graph (FCG)-based malware classification through interpretability-driven feature engineering. We propose a dual-level structural feature framework integrating local topological patterns with global graph-level properties. The initial feature set comprises 13 dimensions: five local degree profile (LDP) features and eight global structural features capturing community structure, execution flow, and connectivity patterns. To mitigate the curse of dimensionality, we apply an interpretability-driven selection using integrated gradients (IG), gradient-weighted class activation mapping (GradCAM), and Shapley additive explanations (SHAP), yielding an optimized seven-dimensional subset. Experiments on the MalNet-Tiny benchmark demonstrate that the proposed approach achieves 94.47 ± 0.25% accuracy with jumping knowledge GraphSAGE (JK-GraphSAGE), improving the LDP-only baseline by 0.32 percentage points while reducing feature dimensionality by 46%. The selected features exhibit consistent importance across four GNN architectures and multiple message-passing layers, demonstrating model-agnostic effectiveness. The results reveal that aggregation mechanisms critically influence feature utility, highlighting the necessity of interpretability-guided design for robust malware detection. This work provides a systematic methodology for feature engineering in graph-based security applications.

A novel android malware classification approach based on multi-scale feature fusion for encrypted traffic

Robust Android malware detection against obfuscation and adversarial attacks using RGB Markov images and deep ensemble learning

This study presents a comparative analysis of Principal Component Analysis (PCA) and ANOVA-based feature selection methods for Android malware detection, evaluating their impact on classification accuracy and computational efficiency. Three preprocessing scenarios were examined: using the original dataset with 241 features, applying PCA for feature extraction (retaining all components due to variance thresholds), and employing ANOVA to reduce the feature set to 120. Support Vector Machines (SVM), Wide Neural Networks, and Logistic Regression classifiers were trained on these datasets, with hyperparameters optimized via 5-fold cross-validation. Results demonstrated that SVM consistently achieved the highest accuracy across all scenarios, peaking at 99.25% with PCA. However, PCA failed to reduce dimensionality of models and increased training times for SVM compared to the original dataset. In contrast, ANOVA effectively reduced the feature count, lowering SVM training time to 4.81 seconds while obtaining 98.95% accuracy. These findings highlight ANOVA as a computationally efficient method, balancing high detection performance with reduced resource demands. While PCA marginally improved accuracy, its computational cost renders it less practical for real-time applications. The study concludes that feature selection via ANOVA offers a superior trade-off for Android malware detection, prioritizing both accuracy and efficiency. Future work should explore advanced feature selection techniques and validate models on diverse datasets to enhance generalizability and address evolving malware threats.

EXPRESSION OF CONCERN FOR: Riyadh Rahef Nuiaa AlOgaili, Osamah Adil Raheem, Mohamed H GhalebAbdkhaleq, Zaid Abdi Alkareem Alyasseri, Saif Ali Abd Alradha Alsaidi, Ali Hakem Alsaeedi, Yousif Raad Muhsen,Selvakumar Manickam. (2025). AntDroidNet Cybersecurity Model: A Hybrid Integration of Ant Colony Optimization andDeep Neural Networks for Android Malware Detection. Mesopotamian Journal of CyberSecurity, 5(1), 104-120.https://doi.org/10.58496/MJCS/2025/008https://mesopotamian.press/journals/index.php/CyberSecurity/article/view/711Reason for Expression of Concern:The Editors wish to alert readers to potential concerns regarding the reliability of the findings reported in “AntDroidNetCybersecurity Model: A Hybrid Integration of Ant Colony Optimization and Deep Neural Networks for AndroidMalware Detection”. The journal has initiated an additional editorial assessment of the article’s methodology, data provenance, andreported outcomes to confirm their reliability and reproducibility.This notice is issued to ensure transparency while the review is ongoing. The Expression of Concern does not constitute a finaldetermination regarding the validity of the work. The journal will update readers once the assessment is completed and will take anynecessary editorial action in accordance with the journal’s policies and COPE guidance.

The rise of cyber-attacks targeting mobile devices, particularly Android malware, has continued to grow, making the development of automated detection and classification methods increasingly important. This study aims to compare the performance of five supervised learning algorithms, namely Decision Tree (DT), Random Forest (RF), Support Vector Machine (SVM), K-Nearest Neighbors (KNN), and Naïve Bayes (NB), in detecting and classifying Android malware applications. The experiments were conducted using the CICMalDroid2020 dataset, which consists of multiple malware categories as well as benign applications. Feature selection procedure was implemented, approach was designed to accelerate training and improve predictive accuracy by retaining only most relevant predictors. All algorithms were trained with commonly employed default hyperparameters to establish a fair baseline rather than conducting extensive parameter optimisation. Two evaluation strategies were employed: 10-fold cross-validation, and holdout method with 70/30 training split. The performance was assessed using standard metrics including Accuracy, Precision, Recall, and F1-score. The experimental results indicate that RF consistently achieved the highest performance across both evaluation methods 94.17% Accuracy with 10-fold cross-validation, 93.65% Accuracy with the holdout split. In contrast, NB showed the lowest performance in all metrics, while DT and KNN delivered relatively competitive results with acceptable accuracy. SVM, however, produced lower accuracy compared to RF and DT. These findings highlight importance of feature selection and significance of selecting an appropriate algorithm in Android malware detection. Although RF demonstrated robustness on this large, complex dataset, further research is required to assess its computational cost and scalability for deployment on resource-constrained mobile devices.

Android malware continues to pose a serious threat to mobile security, frequently evading traditional signature-based detection techniques and compromising sensitive user data. While signature-based approaches are effective against known malware, they struggle to identify obfuscated and evolving threats. To address these limitations, this paper proposes a hybrid machine-learning framework for Android malware detection that integrates Random Forest and XGBoost classifiers. The model relies on static features, specifically API calls and application permissions, which are highly indicative of malicious behaviour. Experiments are conducted using the CIC-AndMal2017 dataset, consisting of labelled benign and malicious Android applications. A systematic feature-selection process is applied to retain the most informative API and permission features. Dimensionality reduction using t-Distributed Stochastic Neighbour Embedding (t-SNE) is employed to improve computational efficiency while preserving meaningful patterns in the data. Experimental results demonstrate that the proposed hybrid model achieves an accuracy of 91.20%, outperforming individual classifiers. The findings highlight the effectiveness of ensemble learning, optimised feature selection, and dimensionality reduction in building scalable and accurate Android malware detection systems.

ABSTRACT The primary cybersecurity threat addressed in this work arises from Android malware that bypasses conventional fingerprint‐based defenses by exploiting permission misuse, intent filters, and code obfuscation techniques. To address this challenge, this paper proposes an interpretable and rational malware detection framework based on ensemble learning. Five machine learning classifiers—Logistic Regression, Random Forest, Gradient Boosting, XGBoost, and Neural Networks—were evaluated using three Android malware datasets, namely CHIMERA, Mendeley, and NaticusDroid. The proposed methodology employs a strict preprocessing pipeline, a hybrid interactive feature selection and elimination strategy, five‐fold cross‐validation, and hyperparameter optimization. Experimental results show that ensemble models, particularly XGBoost and Random Forest, achieve predictive accuracies exceeding 97% even on limited or noisy datasets such as Mendeley and NaticusDroid. Interpretability analysis using SHAP reveals that critical Android permissions, including READ_PHONE_STATE, SEND_SMS, and RECEIVE_BOOT_COMPLETED, strongly influence model decisions and are closely associated with real‐world malicious behaviors such as data exfiltration and persistence. Duplicate sample filtering improves computational efficiency and slightly mitigates overfitting, while adversarial evaluation provides insights into model robustness against evasion attacks. Overall, the findings demonstrate that ensemble learning combined with explainable AI yields malware detection models that are both highly accurate and transparent, providing a practical foundation for interpretable and adversarially resilient Android malware detection. Future work will focus on real‐world deployment.

The high-quality labeled dataset is crucial for building effective Android malware detection models. However, widely used automated labeling systems (e.g., antivirus services) are often not stable enough and may introduce label noise. In this paper, we identify and analyze two types of noise: RDMnoise and IDNnoise . RDMnoise is introduced by the labeling system randomly flipping labels, exhibiting class symmetry. In contrast, IDNnoise arises primarily because engines tend to misclassify obfuscated software as malware, exhibiting class dependency. Both types of noise can bias the training process of malware detection systems, thereby affecting the overall performance of the model. To combat these two types of noise of Android malware detection, we propose a lightweight training framework called CoNoMAD , which combines model-level and data-level approaches to jointly mitigate label noise. Specifically, to overcome the uncertainty introduced by noisy labels for model training, we assist the training by seeking more certainty in the supervisory information from both the model and data levels. On the model level, CoNoMAD relies on an under-trained model. The intuition behind this is to reduce the model's sensitivity to noisy labels by limiting its capacity to overfit. On the data level, CoNoMAD employs a clustering algorithm to mitigate the impact of noise on data distribution by identifying and grouping similar data points. Through auxiliary training on these two levels, CoNoMAD effectively mitigates the negative impact of label noise on models in complex scenarios. We validate the performance of CoNoMAD on 25 datasets with varying noise ratios, including the RDMnoise dataset, the IDNnoise dataset, and a mixed dataset containing both types of noise. Experiments show CoNoMAD improves detection performance by 50.89%, 24.30%, and 29.34% on popular malware detectors, under the RDMnoise , IDNnoise , and Mixed Noise. Compared to state-of-the-art methods, CoNoMAD achieves higher detection performance and training efficiency. Finally, this study calls for more attention to the impact of label noise on Android malware detection.

The increasing prevalence of malicious applications targeting the Android operating system has intensified security challenges in recent years. As Android’s popularity continues to grow, it not only attracts users but also becomes a prime target for cybercriminals, underscoring the critical need for robust defenses against advanced Android malware. This survey manuscript is intended for a multidisciplinary field to evaluate and analyse the Android malware trend, behaviors, taxonomies, and future direction. This survey presents a comprehensive review of study trends, examines Android malware behaviors over time, and analyzes their patterns across platforms, families, and regions. Additionally, it evaluates existing Android malware taxonomies and identifies key gaps. To address these gaps, we propose an enhanced taxonomy tailored to advanced Android malware. The study concludes with actionable recommendations for future research, aimed at assisting users and industry professionals in mitigating the evolving risks posed by sophisticated Android malware attacks.

Feature selection plays a crucial role in developing effective predictive models by reducing dimensionality and emphasizing the most relevant attributes. However, current research in this area often lacks comprehensive benchmarking and frequently depends on proprietary datasets. These limitations hinder reproducibility and may lead to inconsistent or suboptimal model performance. To address these limitations, we introduce the MH-FSF framework, a comprehensive, modular, and extensible platform designed to facilitate the reproduction and implementation of feature selection methods. Developed through collaborative research, MH-FSF provides implementations of 17 methods (11 classical, 6 domain-specific) and enables systematic evaluation on 10 publicly available Android malware datasets. Our results reveal performance variations across both balanced and imbalanced datasets, highlighting the critical need for data preprocessing and selection criteria that account for these asymmetries. We demonstrate the importance of a unified platform for comparing diverse feature selection techniques, fostering methodological consistency and rigor. By providing this framework, we aim to significantly broaden the existing literature and pave the way for new research directions in feature selection, particularly within the context of Android malware detection.