Machine Learning for Mobile Defense: Detecting
SMS Malware and Riskware on Android
1st Anmol Rattan Singh
Chitkara University Institute of Engineering and Technology Chitkara University Institute of Engineering and Technology
Chitkara University, Punjab, India
[email protected]
[email protected]
3rd Nitin Saluja
Chitkara University Institute of Engineering and Technology
Chitkara University, Punjab, India
[email protected]
Abstract—Android smartphones are frequently targeted by
SMS Malware and Riskware attacks that aim to steal private
information such as user credentials, photos, videos, and banking
details. Often, Android users unknowingly allow these attacks by
clicking on unknown links or messages. The goal of this research
paper is to boost user confidence and privacy on Android devices.
The CICMalDroid 2020 dataset, which includes data on traffic
patterns related to Riskware and SMS malware attacks, forms
the basis of this research. The study introduces a methodology for
the early detection of these threats by incorporating a machine
learning-enabled chip at the hardware level. The dataset has been
processed using various machine learning algorithms to assess the
most effective ones for detecting Android malware. The findings
demonstrate the superiority of the random forest algorithm
on the CICMalDroid dataset, with this classifier achieving the
highest accuracy, recall, and F1 score compared to others. Con-
versely, the Naive Bayes method is noted for its reliability and its
ability to minimize false positives. These outcomes emphasize the
importance of strengthening cybersecurity measures, regularly
updating software, and the critical role of machine learning in
enhancing the security of Android devices.
Index Terms—Attack; Defense; Mobile; SMS; Machine Learn-
ing; Malware; Riskware
I. I NTRODUCTION
SMS Malware and Riskware attacks targeting Android
smartphones have escalated, posing significant threats to user
privacy and data security. A global operation uncovered thou-
sands of devices compromised by text messages containing
malicious URLs designed to trick recipients into clicking,
thereby infecting their devices and risking data theft, financial
fraud, or unauthorized access. Moreover, the prevalence of
riskware has risen, with attackers using ostensibly benign apps
to harvest sensitive information. Experts warn that numerous
legitimate Android apps from well-known app stores may
harbor concealed riskware, endangering login details, financial
information, and location data. Android’s widespread adoption
globally makes it a lucrative target for cybercriminals. To
combat these threats, experts recommend regularly updating
Android devices, installing reliable antivirus software, and
staying alert to suspicious websites and unauthorized app
2nd Gurjinder Singh
Chitkara University, Punjab, India
downloads. Educating users about the dangers of SMS Mal-
ware and Riskware is essential for securing Android devices
in today’s digital environment.
The malicious software in question operates under the
guise of a standard SMS application, exploiting the SMS
functionalities such as credit or unit transfers offered by many
carriers worldwide. This malware thrives by fully control-
ling the SMS capabilities, thanks to Android’s ”permission”
subsystem, ”broadcast receiver” subsystem, and its message-
sending mechanism [1]. It can conceal transactions from
telecom operators, draining funds from users’ accounts and
impacting multiple stakeholders. Despite passing standard
malware checks, this highlights the urgent need for advanced
detection techniques. The article outlines several methods to
mitigate these threats.
As Android continues to dominate the mobile market for
smartphones, tablets, and other portable devices, its open-
source nature and increasing popularity make it an attractive
target for hackers. This research incorporates both static and
dynamic analyses of Android applications to detect malware,
scrutinizing app permissions and behaviors. The findings re-
veal that 80% of applications request risky permissions and
13% display potentially harmful behavior, indicating a need
for stricter safety standards.
Despite ongoing efforts by academia and industry, chal-
lenges in Android malware detection and classification persist.
Collecting labeled data for supervised learning is costly and
difficult. The proposed solution in this study is a pseudo-
label semi-supervised learning approach that utilizes deep
neural networks trained on both labeled and unlabeled in-
puts. Dynamic analysis helps to create feature vectors from
behavior profiles. The study introduces the CICMalDroid2020
dataset, which includes 17,341 Android adware, banking,
SMS, riskware, and benign applications, offering the most
comprehensive static and dynamic data publicly available [2].
The results demonstrate that the proposed model surpasses
Label Propagation (LP) and other machine learning methods,
achieving a high F1-score of 97.84% and a low false positive
rate of 2.76%.
This research manuscript comprises several sections, each
addressing different aspects of the study: Section II provides
an overview of recent advancements in protecting Android
devices from malware threats; Section III details the method-
ologies used in the experimental study; Section IV discusses
the results and insights gained from applying machine learn-
ing algorithms to detect intrusions on Android devices; and
Section V concludes the study, summarizing the key findings
and contributions along with the future scope of the same.
II. L ITERATURE R EVIEW
The number of gadgets and applications continues to rise,
with smartphones and tablets driving increased app usage due
to rapid technological advances. Despite passing initial virus
checks, many apps containing difficult-to-detect malware are
still trusted and available on the Play Store. Initial tests may
miss unknown threats, potentially causing significant damage.
This project introduces real-time Android malware detection
solutions using dynamic algorithms and hybrid approaches,
aimed at quickly identifying complex Android malware. The
research differentiates between harmful and benign applica-
tions after filtering the dataset. The findings show that a hy-
brid Random Forest-Multilayer Perceptron network achieved
97.5% accuracy in just 22.945 seconds, making it a promising
defense against cyberattacks by identifying harmful mobile
app versions and protecting users’ devices [3].
Despite efforts in both academic and corporate research,
Android malware detection and classification remain unsolved
challenges. Collecting labeled data is costly and difficult.
The authors propose a pseudo-label semi-supervised learn-
ing method that trains deep neural networks on both la-
beled and unlabeled data. Dynamic analysis generates feature
vectors from behavior profiles. The research introduces CI-
CMalDroid2020, a dataset containing 17,341 Android adware,
banking, SMS, riskware, and benign apps, offering extensive
static and dynamic data [4]. The model outperformed Label
Propagation (LP) and other machine learning algorithms, with
a high F1-score of 97.84% and a low false positive rate of
2.76%.
Malware attacks have surged with the widespread use of
Android devices. Attackers frequently develop new or updated
malware. Due to the limitations of traditional detection meth-
ods in Android systems, machine learning has gained popular-
ity in cybersecurity. The research introduces an evolutionary
approach for detecting Android malware with a detection
accuracy of 99.11%, making it a promising method for zero-
day threat detection. Integrating machine learning techniques
has significantly enhanced Android’s security, with malware
detection accuracy improving substantially [5].
Given Android’s 72% market share, it has become a pri-
mary target for cybercriminals. Despite challenges, detecting
malicious apps is a key focus of Android research. This paper
presents a supervised learning approach for Android malware
detection, which outperforms semi-supervised methods across
several parameters. The study uses labeled datasets, includ-
ing around 18,000 samples categorized as adware, banking,
SMS, riskware, and benign apps. Well-known datasets like
CICMalDroid2020, CICMalDroid2017, and CICAndMal2017
are employed to ensure accuracy [6]. The research contributes
to the development of new Android malware detection algo-
rithms, suggesting that further studies on Android security are
essential.
Android malware presents a significant threat across sectors
such as healthcare, finance, transportation, government, and e-
commerce. This research presents two machine learning algo-
rithms for dynamic Android malware analysis. One approach
achieved over 96% accuracy in detecting and identifying
Android malware, while the second method accurately classi-
fied malware families with over 99% accuracy. The research
utilized a large dataset comprising 14 malware categories and
180 malware variants, enabling accurate and efficient dynamic
analysis of Android malware [7].
Due to the rapid expansion of Android, malware attacks
on mobile websites and applications have become a major
concern. Traditional malware detection methods are often
ineffective and time-consuming, requiring improved solutions
[8]. The study introduces a lightweight convolutional neural
network (CNN)-based detection technique, which converts An-
droid malware components like classes.dex and AndroidMan-
ifest.xml into RGB images for analysis. This approach allows
for quick and accurate detection of malware on platforms with
limited processing capabilities, such as mobile devices.
As malware attacks on computers, the internet, and mobile
devices increase, zero-day malware detection has become a
top priority for security experts [9]. Attackers are increasingly
targeting Android, the most widely used mobile operating
system. Security experts employ various machine learning
techniques to detect Android malware by distinguishing be-
tween malicious and legitimate APKs. The study uses 27 CI-
CMalDroid2020 APK features from a dataset of 18,998 APKs.
Machine learning classifiers like Random Forest achieved
98.6% accuracy in detecting Android malware. This highlights
the effectiveness of machine learning in combating Android
malware, as evidenced by the detection of 9,599,519 mobile
malware cases in 2021 by Kaspersky. [10]
Android users frequently engage in online banking and
shopping, exposing their devices to malware threats. The
authors use the CICMalDroid2020 dataset of 17,341 modern
Android apps to test various machine learning classifiers for
malware detection [11]. After preparing the data and applying
classifiers, the results are evaluated for accuracy. The aim of
this research is to identify the most effective classifier for the
dataset, helping readers understand which machine learning
algorithm performs best.
Many publicly available malware datasets either lack proper
labels or only provide a single label per sample, making
it difficult to capture the complex behavior of malware.
This paper offers a multi-labeling technique to automatically
identify the different behaviors of malware samples based on
classifications from automated detection engines [12]. The

Fig. 1. Methodology
study compares the behavior of known malware with the
labeling approach. After applying the multi-labeling method
to four public Android malware datasets, the composition and
representativeness of these datasets are analyzed and discussed
[13], [14].
III. M ETHODOLOGY
The solution outlined in this paper significantly enhances
the defense of Android-based devices, including laptops, cell
phones, and tablets, against malicious software and potentially
harmful data from the internet. This method ensures compre-
hensive security by continuously monitoring data collected
online through sophisticated machine learning (ML) tech-
niques. It can instantly detect and eliminate potential threats
by analyzing both data signatures and behavioral patterns.
This proactive approach not only protects user privacy
and sensitive information but also increases user awareness
of potential threats, keeping them informed about the latest
developments. The ML-based security system is designed to
adapt to the latest cyber intrusion methods while avoiding false
positives, providing dynamic protection that evolves with the
changing landscape of internet risks.
By adopting this comprehensive security solution, Android
users are better equipped to enjoy robust and dependable
protection against the constant threats present in the digital
environment, ensuring the functionality and integrity of their
devices remain intact. The Figure 1, represents a simplified
flowchart of an Android malware detection system, detailing
how APK files are processed to check for malware. Here’s a
streamlined explanation:
1) Internet Download: APK files are fetched from the
Internet.
2) Malware Detection: The Android Malware Detection
Software analyzes the APKs to determine if they are
safe or contain malware.
• If malware is detected in APK 1, the data is removed
to protect the device.
• If no malware is found in APK 2, it is deemed safe
for use.
This flowchart illustrates the process of securing an Android
device by assessing and handling potential threats found in
applications downloaded from the internet.
IV. R ESULTS
This research paper utilizes various machine learning al-
gorithms—logistic regression, random forest classifier, and
naive Bayes classifier—to bolster the security and privacy of
Android mobile phones by effectively removing SMS Malware
and Riskware. The aim is to enhance the confidentiality of
personal information on Android devices. The study employs
data from the CICMalDroid 2020 dataset, which provides a
substantial base for analysis.
A. Model Used
The Random Forest Classifier emerged as the top performer,
delivering the highest accuracy, recall, and F1-score, proving
its effectiveness in detecting harmful software. Meanwhile, the
Naive Bayes algorithm also displayed high precision in its
outcomes. Despite the effectiveness of these machine learning
models, the paper emphasizes the necessity of comprehensive
cybersecurity measures and regular software updates to combat
the continuously evolving cyber threats.
1) Precision:: Precision measures the accuracy of the pos-
itive predictions. It is the ratio of correctly predicted positive
observations to the total predicted positives. This metric is
particularly important when the cost of a false positive is high.
TP
P recision = (1)
(T P + F P )
Precision is crucial in scenarios like spam detection, where
it’s preferable to let some spam emails through rather than
wrongly classifying important emails as spam.
2) Recall (Sensitivity or True Positive Rate): :
Recall measures the model’s ability to detect positive in-
stances from the actual positives available during the testing.
It is the ratio of correctly predicted positive observations to
all observations in actual class - yes. Formula:
TP
Recall = (2)
TP + FN
 Fig. 2. Precision
Fig. 3. Recall Comparison
Recall is critical in medical scenarios where it’s crucial
to identify all possible positive cases, such as predicting if
a patient has a disease. Missing a true positive can be life-
threatening.
3) F1 Score: :
The F1 Score is the weighted average of Precision and
Recall. Therefore, this score takes both false positives and
false negatives into account. It is especially useful when the
classes are imbalanced. Formula:
2 ∗ (P recision ∗ Recall)
F 1Score = (3)
(P recision + Recall)
F1 Score is used when an equal balance of precision and recall
is important, such as in document classification where it’s
important to precisely predict the category of the document
as well as to cover all potential documents of a category.
4) Accuracy: : Accuracy measures the overall correctness
of the model, that is, the ratio of correct predictions (both
true positives and true negatives) to the total number of cases
examined. Formula:
TP + TN
Accuracy = (4)
TP + TN + FP + FN
Accuracy is a useful measure when the target classes are
well balanced and the costs of different types of prediction
Fig. 4. F1-Score
Fig. 5. Accuracy
errors are similar. However, it might be misleading in the
presence of imbalanced classes, as it can reflect the underlying
class distributions rather than the ability of the model to make
accurate predictions. In above equations we have,
• TP (True Positives): The number of correct positive
predictions.
• FP (False Positives): The number of incorrect positive
predictions.
• TN (True Negatives): The number of correct negative
predictions.
• FN (False Negatives): The number of positives that were
incorrectly predicted as negative.
V. C ONCLUSION
In conclusion, this research employs a variety of ma-
chine learning algorithms—Logistic Regression, Random For-
est Classifier, and Naive Bayes Classifier—to enhance the
trust and privacy of Android mobile phones by detecting and
mitigating SMS Malware and Riskware. The findings, detailed
in this research paper, indicate that the Random Forest Classi-
fier outperformed other models in terms of accuracy, recall,
and F1-score, proving its efficacy in identifying malicious
software and bolstering Android device security. Conversely,
the Naive Bayes algorithm demonstrated high accuracy and
reduced false positives, underscoring the significant role of
machine learning in enhancing mobile security. However, it
is crucial to note that machine learning models need to be
supplemented with robust cybersecurity measures and regular
software updates due to the ever-evolving nature of cyber
threats. Future research should aim to refine these models to
counter the increasing threats specific to Android malware.
Ongoing collaboration between the cybersecurity community
and machine learning experts remains vital for developing
more effective security mechanisms. Mobile operating system
developers must continue investing in security technologies
to enhance overall device protection comprehensively. Addi-
tionally, efforts to increase user education and awareness are
essential to equip Android device users with the necessary
skills to recognize and counteract potential threats.
[12] I. Sharma and V. Pahuja, “Comparative Analysis of Open-Source
Vulnerability Assessment Tools for Campus Area Network,” in 2023
International Conference on Emerging Smart Computing and Informatics
(ESCI), 2023, pp. 1–6. doi: 10.1109/ESCI56872.2023.10100030.
[13] I. Sharma, “Evolution of Unmanned Aerial Vehicles (UAVs) with
Machine Learning,” in 2021 International Conference on Advances in
Technology, Management & Education (ICATME), 2021, pp. 25– 30.
doi: 10.1109/ICATME50232.2021.9732774.
[14] S. Mahdavifar, D. Alhadidi, and Ali. A. Ghorbani, “Effective and
Efficient Hybrid Android Malware Classification Using PseudoLabel
Stacked Auto-Encoder,” Journal of Network and Systems Management,
vol. 30, no. 1, p. 22, 2021, doi: 10.1007/s10922-021- 09634-4.

R EFERENCES

[1] K. Singh Dhindsa, S. Rani, and K. Singh Dhindsa Baba Banda

Singh Bahadur, “Android Malware Detection in Official and
Third Party Application Stores,” 2018, [Online] Available:
https://www.researchgate.net/publication/323573686
[2] K. Hamandi, A. Chehab, I. H. Elhajj, and A. Kayssi, “Android SMS
Malware: Vulnerability and Mitigation,” in 2013 27th International
Conference on Advanced Information Networking and Applications
Workshops, 2013, pp. 1004–1009. doi: 10.1109/WAINA.2013.134.
[3] A. H. El Fiky, A. El Shenawy, and M. A. Madkour, “Android Mal-
ware Category and Family Detection and Identification using Ma-
chine Learning,” CoRR, vol. abs/2107.01927, 2021, [Online]. Available:
https://arxiv.org/abs/2107.01927
[4] S. Mahdavifar, A. F. Abdul Kadir, R. Fatemi, D. Alhadidi, and A.
A. Ghorbani, “Dynamic Android Malware Category Classification us-
ing Semi-Supervised Deep Learning,” in 2020 IEEE Intl Conf on
Dependable, Autonomic and Secure Computing, Intl Conf on Perva-
sive Intelligence and Computing, Intl Conf on Cloud and Big Data
Computing, Intl Conf on Cyber Science and Technology Congress
(DASC/PiCom/CBDCom/CyberSciTech), 2020, pp. 515– 522. doi:
10.1109/DASC-PICom-CBDComCyberSciTech49142.2020.00094.
[5] A. Gómez and A. Muñoz, “Deep Learning-Based Attack Detection and
Classification in Android Devices,” Electronics (Basel), vol. 12, no. 15,
2023, doi: 10.3390/electronics12153253.
[6] M. Faisal Ahmed et al., “ShielDroid: A Hybrid Approach Integrating
Machine and Deep Learning for Android Malware Detection,” in 2022
International Conference on Decision Aid Sciences and Applications
(DASA), 2022, pp. 911–916. doi: 10.1109/DASA54658.2022.9764984.
[7] S. Mahdavifar, A. F. Abdul Kadir, R. Fatemi, D. Alhadidi, and A.
A. Ghorbani, “Dynamic Android Malware Category Classification us-
ing Semi-Supervised Deep Learning,” in 2020 IEEE Intl Conf on
Dependable, Autonomic and Secure Computing, Intl Conf on Perva-
sive Intelligence and Computing, Intl Conf on Cloud and Big Data
Computing, Intl Conf on Cyber Science and Technology Congress
(DASC/PiCom/CBDCom/CyberSciTech), 2020, pp. 515– 522. doi:
10.1109/DASC-PICom-CBDComCyberSciTech49142.2020.00094.
[8] S. Roy, S. Bhanja, and A. Das, “AndyWar: an intelligent android
malware detection using machine learning,” Innov Syst Softw Eng, 2023,
doi: 10.1007/s11334-023-00530-5.
[9] W. Waheed and H. Alyasiri, “Evolving trees for detecting android
malware using evolutionary learning,” International Journal of Nonlinear
Analysis and Applications, vol. 14, no. 1, pp. 753–761, 2023, doi:
10.22075/ijnaa.2022.6874.
[10] S. Mahdavifar, D. Alhadidi, and Ali. A. Ghorbani, “Effective and
Efficient Hybrid Android Malware Classification Using PseudoLabel
Stacked Auto-Encoder,” Journal of Network and Systems Management,
vol. 30, no. 1, p. 22, 2021, doi: 10.1007/s10922-021- 09634-4.
[11] P. Garcı́a-Teodoro, J. A. Gómez-Hernández, and A. Abellán-
Galera, “Multi-labeling of complex, multi-behavioral malware
samples,” Comput Secur, vol. 121, p. 102845, 2022, doi:
https://doi.org/10.1016/j.cose.2022.102845