Journal of Network and Computer Applications 232 (2024) 104021

Contents lists available at ScienceDirect

Journal of Network and Computer Applications

journal homepage: www.elsevier.com/locate/jnca

Research paper

PHIGrader: Evaluating the effectiveness of Manifest file components in

Android malware detection using Multi Criteria Decision Making techniques
Yash Sharma 1 , ∗, Anshul Arora 1
Department of Applied Mathematics, Delhi Technological University, Delhi, 110042, India

ARTICLE INFO ABSTRACT

Keywords: The popularity of the Android operating system has itself become a reason for privacy concerns. To deal
Android security with such malware threats, researchers have proposed various detection approaches using static and dynamic
Malware detection features. Static analysis approaches are the most convenient for practical detection. However, several patterns
Permissions
of feature usage were found to be similar in the normal and malware datasets. Such high similarity in both
Intents
datasets’ feature patterns motivates us to rank and select only the distinguishing set of features. Hence, in this
Hardware components
Feature ranking
study, we present a novel Android malware detection system, termed as PHIGrader for ranking and evaluating
the efficiency of the three most commonly used static features, namely permissions, intents, and hardware
components, when used for Android malware detection. To meet our goals, we individually rank the three
feature types using frequency-based Multi-Criteria Decision Making (MCDM) techniques, namely TOPSIS and
EDAS. Then, the system applies a novel detection algorithm to the rankings involving machine learning and
deep learning classifiers to present the best set of features and feature type with higher detection accuracy
as an output. The experimental results highlight that our proposed approach can effectively detect Android
malware with 99.10% detection accuracy, achieved with the top 46 intents when ranked using TOPSIS, which
is better than permissions, hardware components, or even the case where other popular MCDM techniques
are used. Furthermore, our experiments demonstrate that the proposed system with frequency-based MCDM
rankings is better than other statistical tests such as mutual information, Pearson correlation coefficient, and
t-test. In addition, our proposed model outperforms various popularly used feature ranking methods such as
Chi-square, Principal Component Analysis (PCA), Entropy-based Category Coverage Difference (ECCD), and
other state-of-the-art Android malware detection techniques in terms of detection accuracy.

1. Introduction private information, transfer credit into their account by subscribing

In the present age and time, there exists an app for almost every
diversified service required by man, such as online shopping, social
networking, positioning, and navigation. As the statistics report, the
Google Play Store, which now serves as an official app store for the
Android operating system, has witnessed a huge rise in the number
of applications over the span of 14 years. If we take a closer look at
the numbers, it has grown from 16 thousand applications in 2009 to
3.553 million applications until 2023, i.e., a huge increase of 3.537
million.2 Android dominates the market share with a whooping 68.79%
of the total smartphones being used worldwide, followed by Apple
iOS with around 30% share.3 The openness and popularity of Android
makes it the primary target of malicious attackers who attempt to steal
to premium services, start unwarranted premium-rate subscriptions of
SMS services, or even commit advanced frauds.
Requirement of Android Malware Detection Systems
In simple words, mobile malware can be defined as any type of
malicious code designed specifically to disrupt the functionality and
integrity of a mobile system without the user’s consent. The ‘‘Quick
Heal Annual Threat Report 2022’’ shows that there were 1,11,894
malware detections in 2022, which accounts for 1 malware per minute4
and these numbers are expected to steadily grow in the coming years,
especially due to the trend of mobile banking and electronic payment,
to perform various illegal acts such as malicious charges, system dam-
ages, and privacy breaches. The most common malware types include

∗ Corresponding author.
E-mail addresses: [email protected] (Y. Sharma), [email protected] (A. Arora).
1
These authors contributed equally to this work.
2
https://www.bankmycell.com/blog/number-of-google-play-store-apps/
3
https://gs.statcounter.com/os-market-share/mobile/worldwide
4
https://www.quickheal.co.in/documents/threat-report/

https://doi.org/10.1016/j.jnca.2024.104021
Received 30 October 2023; Received in revised form 5 August 2024; Accepted 4 September 2024
Available online 6 September 2024
1084-8045/© 2024 Elsevier Ltd. All rights are reserved, including those for text and data mining, AI training, and similar technologies.
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Table 1
Top 20 most frequently requested permissions from both normal and malware datasets with their corresponding frequency.
Permissions Normal frequency Permissions Malware frequency
INTERNET 55063 INTERNET 55684
ACCESS_NETWORK_STATE 52391 ACCESS_NETWORK_STATE 55252
WRITE_EXTERNAL_STORAGE 38934 WRITE_EXTERNAL_STORAGE 54759
WAKE_LOCK 32527 ACCESS_WIFI_STATE 53886
ACCESS_WIFI_STATE 28554 READ_PHONE_STATE 53586
RECEIVE 23875 READ_EXTERNAL_STORAGE 46646
READ_EXTERNAL_STORAGE 22516 WAKE_LOCK 44003
VIBRATE 20472 GET_TASKS 43399
ACCESS_FINE_LOCATION 16968 CHANGE_WIFI_STATE 43165
ACCESS_COARSE_LOCATION 16650 ACCESS_COARSE_LOCATION 42425
RECEIVE_BOOT_COMPLETED 16519 VIBRATE 42325
CAMERA 14993 MOUNT_UNMOUNT_FILESYSTEMS 41324
READ_PHONE_STATE 14176 ACCESS_FINE_LOCATION 40720
C2D_MESSAGE 12342 WRITE_SETTINGS 39497
BIND_GET_INSTALL_REFERRER_SERVICE 10593 SYSTEM_ALERT_WINDOW 38594
BILLING 9905 CAMERA 36115
FOREGROUND_SERVICE 9587 CHANGE_NETWORK_STATE 30874
GET_ACCOUNTS 7806 RECEIVE_BOOT_COMPLETED 29441
WRITE_SETTINGS 7258 READ_LOGS 29112
BLUETOOTH 5820 RECORD_AUDIO 27010

ransomware, trojans, worms, spyware, rootkits, and botnets (Alazab,
2015).
Steps taken against Malware
To deal with the ever-rising threats of mobile malware, several
well-known detection and analysis models have been proposed over
the past 14 years. These models broadly fall under three categories:
static analysis, dynamic analysis, and hybrid analysis. Static analysis
investigates malware without real code or instructions being executed.
This approach is capable of extracting essential information without
executing any program and is highly efficient. It provides basic infor-
mation about application functionality and collects technical indicators,
which may include file names, permissions requested, intents, hardware
components, and libraries. Unlike static analysis, dynamic analysis
requires the execution of the application and further monitoring of
abnormalities at runtime. Hybrid analysis integrates the merits of both
static and dynamic analyses. As our underlying goal is to identify mal-
ware, instead of capturing cover taints, our focus will be completely on
static analysis using only manifest file components such as permissions,
intents, and hardware components.
Motivation: Among all the components present within the manifest
file of an Android application, the most important and influential are
permissions, intents, and hardware components. These static features
have been widely used in the literature for Android malware detection.
However, there are many similarities in the feature usage patterns of
normal and malicious apps. Tables 1–3 respectively, summarize the
top 20 permissions, intents, and hardware components based on their
frequency in the normal and malware datasets.
We collected 77,000 normal apps and an equal number of malware
apps from Androzoo. More details about the dataset are discussed in
the upcoming sections. Furthermore, we extracted permissions, intents,
and hardware components from the manifest files of the corresponding
applications. As shown in Table 1, 13 of the top 20 permissions are
common in both normal and malware datasets. Similarly, Tables 2
and 3 highlights that seven out of the top 20 intents and 16 out
of the 20 hardware components are common in both datasets. Such
similarity in these features across both datasets motivates us to rank
the features to propose an efficient detection model with distinguishing
features. For instance, the Android operating system has more than 150
permissions; if we use all of them as features, irrelevant features will
hamper detection accuracy. Hence, feature reduction is a key process
in developing a detection algorithm. Moreover, the field of Android
security revolves around accuracy; the better the accuracy of detecting
malware, the better the detection system, and the best accuracy can
only be obtained by using the best set of features. Hence, feature
ranking is a key aspect of our research.
Several related works, such as Zhu et al. (2023), Rana and Sung
(2020), and Wang et al. (2018), have used static features to frame their
Android malware detection models. If we take a closer look at them,
we observe that Zhu et al. (2023) chose static analysis to build their
detection model using features such as permissions and hardware com-
ponents, etc. to be fed into their Convolutional Neural Network (CNN)-
based multi-Head Squeeze and Excitation Residual block (MSer) and
staged it to construct a deep network called MSerNet. Rana and Sung
(2020) focused on static features such as permissions, intents, and other
hardware components to create functions based on features that extract
the most useful information to facilitate detection. Consequently, they
developed a dictionary of these most useful features to generate a
feature vector that could be fed into various classifiers. Wang et al.
(2018) proposed a detection model using an ensemble of string-based
and structural-based features such as permissions, intents, hardware
components, and code patterns. To showcase the detection results of
the proposed model, various machine learning classifiers with a single
feature type and an ensemble of both feature types were used.
None of the above works used the key concept of ranking the
features and hence, missed the feature reduction step, which could have
enhanced the quality of their results. However, in some works such
as Xie et al. (2019) and Wang et al. (2016), the authors did rank the
features and even the combination of features in some cases. Xie et al.
(2019) proposed an analysis-based approach to fingerprint Android
malware families for describing the different behaviors. They extracted
permissions, API calls, and hardware components, ranked them on the
basis of the Fisher score and frequency-based methods, and chose the
top 20 features to be used for fingerprinting. Wang et al. (2016) ranked
the features using the absolute frequency rate difference between the
malware and benign datasets. In particular, they used permissions and
hardware components to create a feature vector. However, both studies
were implemented on a smaller set of applications compared with
the huge dataset in our proposed study. More importantly, our work
outperforms both in terms of detection accuracy.
Using static features such as permissions, intents, and hardware
components has always been a simple yet effective approach to detect
malicious applications. However, it all comes down to choosing the
right set of features and the feature type. Hence, in this paper, we aim to
analyze the effectiveness of the above-mentioned three most commonly
used static features in Android malware detection while taking their
frequency as weight inputs and further ranking them using a couple
of Multi-Criteria Decision Making (MCDM) techniques. The following
research questions emerge considering the proposed detection model
based on the ranking of features:

2
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Table 2
Top 20 most frequently requested intents from both normal and malware datasets with their corresponding frequency.
Intents Normal frequency Intents Malware frequency
MAIN 55919 MAIN 55832
LAUNCHER 55902 LAUNCHER 55769
RECEIVE 22667 DEFAULT 45689
DEFAULT 21291 VIEW 35548
VIEW 18922 BROWSABLE 33915
BROWSABLE 17545 USER_PRESENT 33108
BOOT_COMPLETED 16 510 PACKAGE_REMOVED 26806
REGISTRATION 8256 BOOT_COMPLETED 26645
ACTION_POWER_DISCONNECTED 7318 PACKAGE_ADDED 21111
ACTION_POWER_CONNECTED 6690 REGISTRATION 16609
LEANBACK_LAUNCHER 6171 REGISTER 14419
TIME_SET 5989 NOTIFICATION_RECEIVED_PROXY 14139
TIMEZONE_CHANGED 5937 PushService 14004
BATTERY_LOW 5798 REPORT 13998
BATTERY_OKAY 5788 PUSH_TIME 13998
DEVICE_STORAGE_LOW 5750 NOTIFICATION_OPENED 13019
DEVICE_STORAGE_OK 5748 MESSAGE_RECEIVED 13016
MEDIA_BUTTON 4932 NOTIFICATION_RECEIVED 12957
QUICKBOOT_POWERON 4730 DaemonService 12488
MY_PACKAGE_REPLACED 4131 CONNECTION 12252

Table 3
Top 20 most frequently requested hardware components from both normal and malware datasets with their corresponding frequency.
Hardware components Normal frequency Hardware components Malware frequency
camera 12337 camera 21063
touchscreen 12147 Camera.autofocus 19080
Camera.autofocus 10446 camera.flash 3288
touchscreen.multitouch 8999 nfc.hce 2324
touchscreen.multitouch.distinct 8765 touchscreen 2101
location.GPS 7468 camera.front 2040
location.network 7103 wifi 1694
location 6223 touchscreen.multitouch 1334
screen.landscape 5002 location.GPS 1262
telephony 4725 touchscreen.multitouch.distinct 1256
wifi 4484 microphone 1219
screen.portrait 4136 screen.landscape 1196
sensor.accelerometer 3892 sensor.accelerometer 1111
vulkan 3235 bluetooth_le 855
camera.flash 2892 location.network 825
camera.front 2722 telephony 674
microphone 2216 autofocus 567
bluetooth 2194 location 413
bluetooth_le 1087 camera2.full 297
NFC 811 usb.action.USB_STATE 264

• RQ1 Where does the need for ranking the features arise and sub-
sequently, what is the significance of feature reduction compared
with feeding all the features as inputs at once?
• RQ2 How to rank features, i.e., how to incorporate feature rank-
ing?
• RQ3 How to devise a detection approach using the ranked fea-
tures?
• RQ4 Which feature among the most commonly used AndroidMan-
ifest file components gives the best detection accuracy?
We are driven by the goal of answering the research questions
mentioned above and at the same time forming an Android malware
detector, named PHIGrader. We used a frequency-based multi-criteria
decision-making (MCDM) approach to rank the three most commonly
used static feature types, namely permissions, intents, and hardware
components. We identified the best feature type and the best feature
set for Android malware detection among the commonly used Android-
Manifest file components. For this purpose, we applied two MCDM
techniques individually to all three feature types. We attempted to im-
plement the MCDM techniques because of their numerous advantages,
such as a simple yet quick computing process and the ability to work
with a vast dataset such as ours. Moreover, these techniques have a
rational and comprehensive logic that works best when a fundamental
ranking of alternatives is needed. Furthermore, we have proposed
a novel detection algorithm that uses feature rankings formulated
from frequency-based MCDM techniques and applies various machine
learning and deep learning techniques to detect Android malware
effectively. The work proposed in this study uses a mix of old and recent
datasets for evaluation. Our detection results outperform several state-
of-the-art techniques proposed in related areas of research. Moreover,
our experiments indicate that the proposed frequency-based MCDM
approach gives us better accuracy than the popularly used feature
ranking methods such as Chi-square, Principal Component Analysis
(PCA), Entropy-based Category Coverage Difference (ECCD) and also
better than other statistical tests such as mutual information, Pearson
correlation coefficient, and T-test, which have been used in Wang et al.
(2014) when we evaluate them against the same dataset of normal and
malware apps.
Contributions: The major contributions of this study are as follows:
• Initially, we ranked the three feature sets of permissions, intents,
and hardware components individually in order of their frequency
difference between the malware and normal training datasets to
assign frequency-based weights to each feature.
• Next, we apply two MCDM techniques to the three weighted
feature sets and rank them according to their preference score.
• We proposed a novel algorithm that uses the individual rank-
ings of permissions, intents, and hardware components described

3
Y. Sharma and A. Arora
by MCDM techniques to develop an efficient Android malware
detection system.
• We recognized that the detection results of the proposed ap-
proach are better than those of various state-of-the-art techniques
existing in the literature for Android malware detection.
Organization: The rest of the paper is structured as follows. First,
we discuss related work in Section 2. Then, we explain in detail the
proposed methodology in Section 3 and discuss the feature ranking
results in Section 4. Finally, we present the detection results from the
proposed model in Sections 5 and 6. A comparison of our proposed
model with the existing literature in the corresponding field and a
discussion of some limitations is presented in Section 7. Finally, we
conclude the paper with future work directions in Section 8.
2. Related work
This section reviews related works proposed in the literature for An-
droid malware detection. In particular, we review works that have used
permissions, intents, hardware components, and other static features
or AndroidManifest file components for malware analysis/detection.
Apart from the works revolving around static features, researchers
and practitioners have also used dynamic features such as network
traffic (Wang et al., 2019)–(Shabtai et al., 2014), system calls (Singh
and Hofmann, 2017)–(Jaiswal et al., 2018), cryptographic and network
operation (Feng et al., 2018) etc. to propose dynamic Android mal-
ware detection techniques in the literature. Extracting and analyzing
dynamic features is complex and time-consuming. Moreover, while ex-
tracting dynamic features, some stealthier malware samples detect the
emulated Android environment and hence may not generate dynamic
logs. Therefore, we developed a static malware detector for Android.
Because our proposed model analyzes static features, i.e., permissions,
intents, and hardware components, our focus is limited to discussing
static works. We divide the related works into two categories: detection
techniques based on feature ranking and methods that have not applied
any feature ranking for malware detection.
2.1. Detection techniques with feature ranking
First, we discuss the methods that have applied any feature ranking
technique for Android malware detection.
Bhat and Dutta (2022) extracted permissions and various other
features in the data collection step. To reduce the feature set, infrequent
features or common features in both classes were removed because they
were insufficiently informative. Moreover, they ranked the features
based on their information gain scores to choose the optimum set.
Finally, they used machine learning classifiers to showcase their detec-
tion results. Sheen et al. (2015) proposed a multi-feature collaborative
decision fusion method to club the decisions predicted by various clas-
sifiers and for various features such as permissions and API calls. The
authors also used several feature ranking methods, such as chi-square,
relief, and information gain, to reduce the feature set before the testing
phase. Song et al. (2016) matched the dangerous permissions, their
combinations, and other malicious features with permissions requested
by unknown applications to generate a detection report and submit it
to the user. Based on these results, they built a threat degree threshold
model for detecting malicious behavior.
Thiyagarajan et al. (2020) emphasized the importance of reduc-
ing the features; hence, they extracted permissions, and for pruning
the dataset, they removed the permissions based on low frequency,
support value of the features, associativity between them, chi-square,
and principal component analysis (PCA). Finally, they fed the re-
sults to a decision tree classifier to classify applications as normal or
malware. Altaher (2017) aimed upon using a better alternative than
signature-based classifiers; hence, he extracted permissions and fed
them into an evolving hybrid neuro-fuzzy classifier using an improved
4
Journal of Network and Computer Applications 232 (2024) 104021
clustering-based method namely Dynamic evolving neuro-fuzzy inference
system (DENFIS) after reducing the permission set using the information
gain ratio technique. Mahindru and Sangal (2021a) extracted features
such as permissions and API calls to build a detection system using
various machine learning algorithms, including supervised, unsuper-
vised, semi-supervised, and hybrid learning classifiers. The authors
used ten distinct feature selection and ranking techniques to deal with
the dimensionality issue and reduced the feature set.
Dehkordy and Rasoolzadegan (2021) addressed the issue of balanc-
ing the dataset before detection using techniques such as the synthetic
minority oversampling technique (SMOTE), random undersampling,
and a hybrid method involving both to balance the huge dataset of
ten types of features. In addition, they reduced the dataset using
frequency ranking-based methods and further used machine learning
classifiers for detection after balancing the dataset. Nguyen et al. (2022)
extracted 12 types of features, categorized them into three groups,
and further reduced the feature set using a support vector machine
(SVM), deep neural network (DNN), and analysis of variance (ANOVA).
After reducing the set, the authors fed the group results individually
as multiple inputs to the DNN to later combine into one final DNN
to learn the abstract of each feature vector before making the final
decision. Taheri et al. (2021) proposed a couple of defense methods,
particularly for adversarial attacks, using robust-NN and C4N CNN
algorithms and feature sets including API and permissions.
Firdaus et al. (2018) took a different approach by extracting per-
missions and rare features such as directory paths and telephony.
Furthermore, after ranking and reducing the feature set using informa-
tion gain and frequency-based methods, the results were fed to vari-
ous bio-inspired artificial neural network classifiers, namely multilayer
perceptron (MLP), voted perceptron (VP), and radial basis function
network (RBFN). Varsha et al. (2017) extracted permissions, opcode,
and various other manifest file features to build a detection model. The
authors used various feature ranking and selection techniques, such as
naive Bayes (NB), weight calculation, entropy-based Category Coverage
Difference (ECCD), and Weighted Mutual Information (WI), to reduce
the feature set, choose the most relevant features, and fed them to var-
ious machine learning classifiers. Deypir (2019) proposed a permission
analysis method based on information theory principles. Rather than
using the information gain score for pattern classification, the author
used information gain risk scores of Android apps to identify malicious
apps. In detail, he described an entropy-based method to calculate the
information gain score for permission and the corresponding risk score
for an application for malware detection.
Mahindru and Sangal (2021b) extracted features such as permis-
sions and API calls, rating, and the number of users downloading the
app to build a detection system using various unsupervised machine
learning algorithms. The authors used ten distinct feature selection
and ranking techniques to deal with the dimensionality issue and
reduced the feature set. Xie et al. (2019) proposed an analysis-based
approach to fingerprint Android malware families to describe their
different behaviors. For this, they extracted permissions, API calls,
and hardware components, ranked them based on Fisher score and
frequency-based methods, and chose the top 20 features to be used
for fingerprinting. Lastly, they used an SVM machine learning classifier
to check the efficiency of their proposed approach. AlJarrah et al.
(2022) extracted permissions, API calls, and contextual information,
tackled the dimensionality problem using Information Gain, and fed
the features to various machine learning algorithms.
Gharib and Ghorbani (2017) proposed a hybrid approach using
permissions, API calls, and even strings and logos as part of static
analysis and system calls as part of dynamic analysis. They further
fed the features to a deep autoencoder (DAE) to learn and make
predictions for the test samples. Sun et al. (2017a) proposed a non-
parametric learning framework using the positive and unlabeled (PU)
learning method to learn and detect malware after removing irrelevant
features using frequency ratio criteria and PCA techniques. Finally, they
Y. Sharma and A. Arora
compared the results of their PU learning approach with those of other
machine learning classifiers and approaches. Li et al. (2018) worked
on ranking the permissions that are being used in only one type of
dataset, either normal or malware applications, using the frequency
method. Wang et al. (2014) studied the permission-induced risk in
Android applications by ranking features using mutual information,
t-test, and correlation coefficient, followed by identifying risky per-
mission subsets from the rankings using PCA and sequential forward
selection. They further applied various machine learning algorithms to
evaluate the usefulness of the identified top risky permissions. Rathore
et al. (2023) underscored the significance of feature reduction and
ranking by employing an extensive array of feature sets. They proposed
a robust feature reduction method that employs diverse classifiers and
feature sets, encompassing permissions, intents, opcode sequences, and
mutually exclusive and merged feature spaces. Despite a reduction of
up to 90% in feature size, this impacted the original detection accuracy
to some extent, but concurrently, it effectively streamlined test and
training times.
Chaudhary and Masood (2023) adopted a comparative approach
that used both the complete dataset and a reduced set achieved through
the Chi-square feature reduction technique. Employing the CNN algo-
rithm with the complete dataset of permissions and intents, they ob-
served enhanced performance levels and reduced overheads in the case
of the reduced dataset compared with the complete one. Rahima Manzil
and Naik (2023) introduced a novel feature selection method involving
the filtering of the most relevant set of permissions and intents using
Hamming distance and threshold techniques. Subsequently, various
classifiers, including machine learning, deep learning, and ensemble
learning, were applied to detect Android ransomware and ransomware
families. Seyfari and Meimandi (2023) used a variety of feature types
and proposed a combination of the SA algorithm with fuzzy logic to ad-
dress the challenge posed by several features. This combined approach
proved to be capable of searching the solution neighborhood. They
evaluated their method using traditional ML-based classifiers. Anu-
pama et al. (2022) presented a hybrid approach using permissions
and system calls, both individually and in combination, to construct a
detection model employing various machine learning and deep learning
classifiers.
Mahindru and Sangal (2022) selected Artificial Neural Networks
(ANN), specifically self-organizing maps (SOMs), as the preferred clas-
sifier. They used permissions, API calls, user rating, and the number of
user-downloaded apps as features to detect malware behavior. Six fea-
ture selection techniques were applied to enhance detection accuracy
and reduce the number of features. In a separate work, Mahindru and
Sangal (2021c) extracted features such as permissions and API calls to
develop a detection system using the LSSVM learning approach with
linear, radial basis, and polynomial kernel functions. They employed
ten distinct feature selection and ranking techniques to address the
dimensionality issue and reduce the feature set.
Popular feature ranking techniques such as Chi-square, Information
Gain (IG), and Principal Component Analysis (PCA) have been widely
used in the literature to rank the static features for Android malware
detection. However, their drawbacks compared with MCDM techniques
are still worth noting. The results produced using the above-mentioned
techniques are known to be biased towards certain attributes. For
instance, IG tends to favor attributes with several distinct values,
whereas chi-square tests can be sensitive to sample size, leading to
potentially biased results. Moreover, all such techniques maintain prior
assumptions about the data, which is not an issue in the case of MCDM
methods. The latter has a simple yet quick computing process and the
ability to work with a vast dataset such as ours. Moreover, MCDM
techniques have a rational and comprehensive logic that works best
when a fundamental ranking of alternatives is needed without making
any prior assumptions about the dataset.
To the best of our knowledge, no other work has ranked static
features, namely permissions, intents, and hardware components, using
5
Journal of Network and Computer Applications 232 (2024) 104021
frequency-based Multi-Criteria Decision-Making (MCDM) techniques to
detect Android malware. In this study, we ranked the features using
frequency-based MCDM techniques and proposed a novel algorithm to
detect Android malware with the best features.
2.2. Detection techniques without feature ranking
In the literature, many techniques exist for Android malware detec-
tion that have not applied any feature ranking test, i.e., they do not aim
to rank the features. In this subsection, we review all of these detection
methods.
Wang et al. (2018) proposed a detection model using an ensemble
of string-based and structural-based features, such as permissions, API
calls, intents, hardware components, code patterns, and functional call
graphs. To showcase the proposed model’s detection results, they used
various machine learning classifiers with a single feature type and an
ensemble of both feature types. Arshad et al. (2018) exploited the bene-
fits of both static and dynamic analysis by proposing a hybrid detection
model using permissions, hardware components, and various other fea-
tures, including system calls and network addresses. The authors used
both local and remote hosts to detect the malicious behavior of appli-
cations using several machine-learning algorithms. Guerra-Manzanares
et al. (2021) identified the need for a dataset that includes both static
and dynamic types of features along with other major information such
as time stamps; hence, they prepared a huge dataset comprising benign
as well as malware applications along with comprehensive information
and time stamps about them.
OS et al. (2021) represented the permissions in the form of ontology
graphs to understand the relationship between permissions, packages,
and interface classes. However, graphs could not be taken as input;
hence, using the BoG technique, they converted the graphs into vector-
based features and reduced the dataset using feature selection methods
such as particle swarm optimization (PSA), social spider algorithm
(SSA), and gravitational search algorithm before applying the machine
learning classifiers. Zhang et al. (2013) performed a dynamic taint
analysis technique to completely identify both explicit and implicit
permissions use points to further build a permission use graph with
the behavior profiler module of the proposed system. The profiled
permission graphs were later used to capture the behaviors of using per-
missions inside an application. Yang et al. (2022) proposed a method
involving static analysis of permission-related API invocations and
dynamic exploration to analyze permission-related behavior of the app
using a locally exhaustive permission combination strategy that is also
capable of simultaneously modifying permission combinations at run-
time. The authors first constructed the State Transition Graphs (STGs)
using the permissions and further fed them to the dynamic exploration
module to implement the breadth-first search for UI exploration.
Qaisar and Li (2022) proposed a hybrid approach to extract and
store features in a case base using case-based reasoning, which is a
lazy learning approach capable of continuously learning. They used
k means clustering to find similarities between features and detect
malware behavior. Appice et al. (2020) described a novel machine-
learning approach for detection using clustering and classification. The
authors used the clustering—based k- means ++ algorithm to form
separate clusters for each view, which were combined later using the
stacking-based fusion method to learn the consensus malware detection
pattern. Zhu et al. (2018) described their approach as a complete
machine learning-based random forest approach, extracting four groups
of features, namely permissions, permission rate, API calls, and system
monitoring events. Finally, they compared the detection results of the
RF classifier with those of the SVM classifier.
Su et al. (2020) extracted 11 types of features to obtain a large
feature set. To tackle the dataset, they used a deep belief network
learning model and obtained unique behavioral characteristics that
were used as input for the SVM machine learning classifier for detection
and classification. Mahesh and Hemalatha (2022) combined the CNN
Y. Sharma and A. Arora
classifier with an Adaptive Red Fox Optimization (ARFO) technique
to propose a new approach for malware detection. To conduct their
research, they extracted permissions and API calls and reduced the
dataset using the Minmax technique. Shrivastava and Kumar (2022)
extracted both clean and malware applications and defined frequency-
based rules to compute a specific score for permissions and intents to
predict the malicious risk level of any application.
Keyvanpour et al. (2023) mainly used three feature selection tech-
niques on their extracted features, namely, permissions, API calls,
intents, and hardware components, and reduced the set with the help of
frequency-based, RF weigh-based, and feature group frequency-based
methods and further fed the results to various machine learning classi-
fiers. Razak et al. (2018) extracted permissions and reduced the feature
set using bio-inspired Particle Swarm Optimization (PSO), evolutionary
computation, and non-inspired information gain methods and further
compared their performances. Finally, the authors fed the features to
various machine-learning classifiers for detection. Mahindru and Sangal
(2021d) proposed a static analysis approach that extracts permissions
and API call features for detection. The authors further used the t-test
and multivariate linear regression stepwise forward selection and cross-
correlation methods to reduce the feature set. Finally, the results were
fed to various machine learning and ensemble classifiers, such as radial
basis function neural networks, using three different ensemble methods.
Alecakir et al. (2021) proposed an analysis approach using app
descriptions and proposed two models, namely sentence-based and
document-based, using a gated recurrent unit neural network and
MLP classifier to correlate description semantics with permissions and
to detect permission-related words in descriptions using a cognitive-
inspired attention mechanism. Ali et al. (2020) proposed a model to
restrict the misuse of permission usage by helping the user during
permission installation. They extracted permissions along with other
information such as rating and comments to predict and recommend
the preferred application permissions to the user using the SVM classi-
fier and compared the model using other forms of SVM and (Logistic
Regression) LR classifier.
Sun et al. (2017b) extracted permissions, API calls, intents, and
package names as keyword features and determined the correlation be-
tween them using the Keywords Correlation Distance(KCD) technique.
The smaller the KCD, the closer the keywords. The extracted features
are then utilized by the SVM classifier. Arp et al. (2014) performed
static analysis using various features such as intents, permissions, hard-
ware components, network addresses, app components, and API calls to
build a detection model and address the limitations of static analysis.
They proposed a detection system that could provide efficient runtime
performance and worked on many malware datasets by mapping fea-
tures to a joint vector space, where patterns and combinations were
analyzed. Feldman et al. (2014) worked on using static features such
as permissions, high-priority intent filter, and version numbers from the
manifest file to build their detection model to classify the nature and
app’s specific category, namely adware, spyware, and SMS malware.
Their experimental results indicate that only permission requests are
not sufficient to detect malware; hence, they extended their study to
network traffic features by analyzing malware applications such as
HGSpy, Simplocker, and a Minimob variant.
The authors in Arora et al. (2019) used a different approach. Rather
than using individual permission patterns, they focused on perm pairs
to form graphs using permissions as vertices and the frequency of their
occurrence as weights for edges for malware detection. They used three
different malware datasets and a single normal dataset. Furthermore,
they used an edge-eliminating method to remove permissions that do
not positively affect accuracy, which helped reduce detection time and
space.
Zhu et al. (2023) opted for static analysis in the development
of their detection model. They leveraged permissions, API calls, and
hardware features as inputs for their CNN-based multi-head Squeeze
and Excitation Residual block (MSer). The model, named MSerNet,
6
Journal of Network and Computer Applications 232 (2024) 104021
was constructed by staging these components to form a deep network.
Similarly, Rathore et al. (2023) devised a defense strategy against ad-
versarial malware. They crafted robust evasion attacks on permission-
and intent-based models, which significantly disrupted the detection ac-
curacy of traditional classifiers. Subsequently, they introduced ‘‘MalV-
patch’’, a defense system that not only enhances detection accuracy but
also substantially bolsters the adversarial robustness of malware de-
tection models. Ravi and Chaganti (2023) underscored the prevalence
of CNN-based models in Android malware detection. They employed
26 CNN-based pre-trained models for image-based detection and fused
them with machine learning-based classifiers to create a resilient and
versatile model.
Kaithal and Sharma (2023) enhanced the detection accuracy of
traditional ML-based classifiers by incorporating Buffalo Fitness. They
proposed a novel approach, the African Buffalo-based decision tree al-
gorithm, which demonstrated high accuracy in detecting malware. Lee
et al. (2022) stressed the significance of permission frequency in An-
droid malware detection. They classified normal and malicious apps
using ML-based detection techniques based on the frequency of per-
missions. Wu et al. (2023) deployed the Off framework using a DDQN
algorithm based on a recurrent neural network as the decision network,
achieving high performance without human intervention. İbrahim et al.
(2022) used various static features, including permissions, API calls,
receivers, and services. They proposed new features, such as file size
and fuzzy hash values, and processed them using a deep learning
model, comparing its efficiency with that of several other machine
learning classifiers. Kabakus (2022) proposed a neural network-based
model that uses one-dimensional data as input for training and testing.
The features included intents, API calls, and permissions. Wang et al.
(2022) analyzed permission sequences to build a static detection model
for text-based binary classification. They further classified malware
families by extracting memory features and constructing object ref-
erence graphs, demonstrating high-accuracy resistance to obfuscation
attacks. Yuan et al. (2019) introduced a broad learning approach
similar to a flat neural network with two hidden layers for lightweight
on-device detection. They used features such as permissions, intent
actions, and API calls, outperforming both shallow and some deep
learning models in on-device training.
To the best of our knowledge, no other work has ranked the static
features, namely permissions, intents, and hardware components, us-
ing frequency-based MCDM techniques. In this study, we first ranked
the permissions, intents, and hardware components individually using
frequency-based MCDM techniques and then proposed a novel detec-
tion algorithm that provides better detection accuracy with the best set
of features and feature type. We describe our proposed methodology in
the next section.
3. System design
In this section, we explain our proposed methodology in detail.
Fig. 1 summarizes a brief yet complete idea of our proposed model
PHIGrader, which is divided mainly into two phases. We refer to the
first phase as the Ranking phase, which includes extracting features
from the training dataset and ranking them using a couple of Multi-
Criteria Decision-Making (MCDM) techniques. Such a feature ranking
eliminates irrelevant features and filters out only the influential ones. In
the Detection phase, we propose a novel algorithm that applies machine
learning and deep learning classifiers to obtain the best features that
can provide higher detection accuracy. We implemented the machine
learning and deep learning classifiers with the Python programming
language (Python, 2021). Further, we have used the Android Asset
Packaging Tool (AAPT2) tool5 to extract the list of features from normal
as well as malware applications. We deployed them on a desktop system
with the configuration of 8 GB RAM, i5-1135G7 CPU, Windows 11 OS.
The following subsections discuss in detail both phases of the pro-
posed model.
5
https://developer.android.com/studio/command-line/aapt2
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Fig. 1. PHIGrader System Design.

3.1. Ranking phase

3.1.1. Dataset
To begin with, we needed a vast dataset of normal and malware
applications to conduct our research. For this purpose, we downloaded Fig. 2. Snapshot of permissions requested by WhatsApp Messenger app.

77,000 normal and 77,000 malware applications from Androzoo (Allix

et al., 2016) dated between 2012 and 2020. Of these, we used 56,000
normal apps and 56,000 malware apps in the ranking phase. The
remaining 21,000 normal and 21,000 malware apps were used in the
detection phase. We term this dataset DATASET-1. In addition, we
Fig. 3. Snapshot of intents requested by WhatsApp Messenger app.
tested our approach on another unknown dataset containing more
recent and stealthier malware samples detected between 2021 and
2022, named DATASET-2. The market used by Androzoo for normal
applications is the Google Play Store, whereas the malware apps are
from various sources such as ‘‘PlayDrone’’, ‘‘appchina’’, ‘‘anzhi’’, and
‘‘VirusShare’’. To create the normal dataset from Androzoo, we filtered Fig. 4. Snapshot of hardware components requested by Microsoft Edge Web Browser
out those apps that had VirusTotal6 detection score of zero, i.e., the app.

apps that were detected as malware by none of the antiviruses on

VirusTotal. Furthermore, for the malware dataset, we filtered out those
applications with a detection score of at least five, i.e., the apps
detected as malware by at least five antiviruses on VirusTotal. With
regard to the sizes of applications to be used, we settled on a range
of APK sizes spanning from 1 byte to 8 GB to include applications of
varying sizes and functionalities.
3.1.2. Feature extraction
Android OS uses the Android Package Kit (APK) file format, which
contains several sub-files and folders that further include essential
information such as the application’s permissions and. The most com-
monly used language for writing the source code of an Android ap-
plication is Java. Subsequently, the Java source codes are compiled
and converted into executable Dalvik bytecodes. Among the several
important files present inside the bundle, one is the AndroidMani-
fest.xml file, which contains three of the most important features used
in our detection model: permissions, intents, and hardware compo-
nents. The process of extracting such information from the kit is called
decompilation. Details about feature extraction are summarized below.
6
https://www.virustotal.com/gui/home/upload
1. Android Permissions: The Android permission check system re-
quires application developers to declare the list of permissions
that an application needs to invoke the Android API successfully.
Hence, this manifest file contains a list of all Android per-
missions required to run the application efficiently. Permission
is declared using the <uses-permission>tag within the mani-
fest file. For example, as shown in Fig. 2, which is the snap-
shot of the AndroidManifest.xml file of ‘‘WhatsApp Messen-
ger’’ app, requires permissions such as ‘‘READ_PHONE_STATE’’,
‘‘READ_PHONE_NUMBERS’’, ‘‘RECEIVE_SMS’’, ‘‘VIBRATE’’ and
‘‘AUTHENTICATE_ACCOUNTS’’ to execute on Android smart-
phones.
2. Android Intents: An Intent is a messaging object that a developer
can use to request an action from another app component. For
example, as shown in Fig. 3, which is the snapshot of the An-
droidManifest.xml file of the ‘‘WhatsApp Messenger’’ app, which
requires intents such as ‘‘REQUEST’’ and ‘‘DEFAULT’’ to execute
on Android smartphones.
3. Hardware components: The hardware components, declared us-
ing the <uses-feature>tag, allow the declaration of the hardware
components that an app needs. For example, as shown in Fig. 4,
which is a snapshot of the AndroidManifest.xml file of the ‘‘Mi-
crosoft Edge Web Browser’’ app, hardware components such as

7
Y. Sharma and A. Arora
‘‘location.gps’’, ‘‘camera’’, ‘‘microphone’’ and ‘‘touchscreen’’ are
required to execute on Android smartphones.
We used the Android Asset Packaging Tool (AAPT2) tool7 to extract the
list of permissions, intents and hardware components from normal and
malware applications. Initially, we extracted a substantial number of
features for all three feature types, i.e., permissions, intents, and hard-
ware components. However, we observed that many extracted features
were requested by not more than 0.5% of the total applications in the
dataset. To address this, we performed a pre-processing step known as
data cleaning. In this step, we eliminated features requested by less
than 0.5% of the combined total of 1,54,000 normal and malware
applications. For instance, an Intent named ‘‘ACTION_ALARM_MSG’’
was present in only five out of the total 1,54,000 applications in the
dataset. A Permission named ‘‘MODIFY_AUDIO_ROUTING’’ was present
in six applications out of 1,54,000 applications. Hence, we eliminated
such features. After performing such data cleaning, we were able to
extract 129 permissions, 79 intents, and 88 hardware components.
Finally, these three extracted lists of features, i.e., 129 permissions, 79
intents, and 88 hardware components were further used to generate
a feature vector for each application in the feature representation
process.
3.1.3. Feature representation
After extracting the list of features from the applications of our
dataset, we create feature vector tables for their representation. The
extracted features are represented using the One Hot Encoding method8
to generate a feature vector for each app in both normal and malware
datasets separately. The feature vector developed for each app is of the
binary type, with a ‘‘1’’ for the features that the application requests
and a ‘‘0’’ for the features that are not present within that app. In this
way, we create six separate vector tables, normal and malware, for
permissions, intents, and hardware components represented by 𝑃 𝑛𝑉 𝑇 ,
𝑃 𝑚𝑉 𝑇 , 𝐼𝑛𝑉 𝑇 , 𝐼𝑚𝑉 𝑇 , 𝐻𝑛𝑉 𝑇 and 𝐻𝑚𝑉 𝑇 , respectively. For instance, if
there are a total of five permissions, say <𝑃1 , … ..𝑃5 > and five intents
say <𝐼1 , … ..𝐼5 > in the system, and any application 𝐴𝑗 has permissions
𝑃1 , 𝑃2, 𝑃5 and intents 𝐼3 , 𝐼4 , 𝐼5 , then the app 𝐴𝑗 is represented as
‘‘11001’’ and ‘‘00111’’ in 𝑃 𝑛𝑉 𝑇 𝑎𝑛𝑑 𝐼𝑛𝑉 𝑇 respectively.
We observe that some features have a high frequency in normal or
malware datasets. The frequency difference (𝛥𝑓 ) between the malware
(𝑀) and normal datasets (𝑁) for any feature (𝑓 ) can provide valuable
insights for feature ranking. Therefore, before applying the MCDM
techniques to rank the features, we initially assign weights (𝑤(𝑓 )) to
all permissions, intents, and hardware components separately based on
their frequency difference in malware and normal datasets. We subtract
the frequency count of every feature type separately in the normal
dataset from that of the malware set, as highlighted in Eq. (1), and
sort them in descending order.
𝛥𝑓 = Freq𝑀 (𝑓 ) − Freq𝑁 (𝑓 ) (1)
Next, we take the newly assigned weights based on the frequency
difference for each feature in the malware and normal datasets.
For instance, if there are ‘‘N’’ number of features, the top one-
third of ‘‘N’’, after ranking based on the frequency difference between
malware and normal datasets, will be assigned a weight of 1 and
considered as malware-dominant features. Similarly, the bottom one-
third of ‘‘N’’ will be assigned a weight of 3 and considered as normal
dominant features. The remaining one-third will be given a weight of
2 as they show neutral dominance or preference.
⎧1 if 𝑓 is in top one-third of 𝑁
⎪ 𝑤𝑗 = 1 𝑗 = 1, 2 … 𝑛
𝑤(𝑓 ) = ⎨2 if 𝑓 is in middle one-third of 𝑁 (2)
⎪ 1
⎩3 if 𝑓 is in bottom one-third of 𝑁
7
https://developer.android.com/studio/command-line/aapt2
8
https://scikit-learn.org/stable/modules/generated/sklearn.preprocessing.
OneHotEncoder.html
8
Journal of Network and Computer Applications 232 (2024) 104021
where N is the total number of ranked features.
After assigning weights to all features, for every occurrence of
‘‘1’’ for any feature, we replace ‘‘1’’ with its corresponding weight in
all six vector tables. For instance, consider the same app 𝐴𝑗 , which
was initially represented as ‘‘11001’’ and ‘‘00111’’ in 𝑃 𝑛𝑉 𝑇 𝑎𝑛𝑑 𝐼𝑛𝑉 𝑇
respectively. Suppose the weights for 𝑃1 , 𝑃2, 𝑎𝑛𝑑 𝑃 5 are 1, 2, and
3, respectively, and the weights for 𝐼3 , 𝐼4 𝑎𝑛𝑑 𝐼 5 are 3, 2, and 1,
then 𝐴𝑗 is represented as ‘‘12003’’ and ‘‘00321’’ in 𝑃 𝑛𝑉 𝑇 𝑎𝑛𝑑 𝐼𝑛𝑉 𝑇
respectively. These vector tables function as decision matrices for our
MCDM methods.
3.1.4. Features ranking
Multi-Criteria Decision Making (MCDM) is one of the most accurate
methods of decision making. MCDM considers different qualitative and
quantitative criteria that need to be fixed to find the best alternative or
choose the best feature. In simple words, MCDM deals with structuring
and decision making when the data has manifold criteria and the
decider needs to find the best alternative according to his/her prefer-
ences. The main steps of all MCDM problems are as follows: identifying
the criteria, determining the weights for the criteria, and ranking the
alternatives or features available in order of preference, followed by
choosing the best or even opting for a subset from them. Furthermore,
the goal of all MCDM problems is to define the alternatives or features
as nondominant or influential. Several types of MCDM techniques work
with a similar goal but differ in the complexity level of algorithms,
weighting methods for criteria, way of representing preferences eval-
uation criteria, uncertain data possibility, and finally, data aggregation
type. In our study, we used two different MCDM techniques to rank
the extracted features individually in order of preference to depict the
application of MCDM in Android malware detection. More information
about the techniques used in our study is given below:
1. TOPSIS - The Technique for Order of Preference by Similarity to
Ideal Solution (TOPSIS) (Papathanasiou et al., 2018) is a multi-
criteria decision analysis method based on the assumption that
the best alternative should have the least geometric distance
from the Positive Ideal Solution (PIS) and the longest geometric
distance from the Negative Ideal Solution (NIS). TOPSIS is used
for comparing a set of alternatives by normalizing scores for
each criterion, describing the geometric distance between each
alternative and the ideal alternative, and finally, giving out the
best alternative as the final result. The complete steps in a typical
TOPSIS application are described below for an MCDM problem
defined on 𝑚 alternatives and 𝑛 decision criteria.:
Step 1 - The normalization method to produce the normalized
decision matrix 𝑟𝑖𝑗 .
√
√ 𝑛
√∑
2 √
𝑟𝑖𝑗 = 𝑥𝑖𝑗 ∕ 𝑥2𝑖𝑗 (3)
1
where 𝑥𝑖𝑗 is the performance value of alternative 𝑖 when evalu-
ated in terms of criterion 𝑗.
Step 2 - The weights 𝑤𝑖𝑗 are assigned to various criteria accord-
ing to their respective importance or contribution.
𝑤𝑖𝑗 𝑗 = 1, 2 … 𝑛 (4)
∑
𝑛
(5)
Step 3 - The weighted normalized value 𝑣𝑖𝑗 can be computed by
calculating the product of the normalized decision matrix 𝑟𝑖𝑗 and
the associated weights 𝑤𝑖𝑗 .
𝑣𝑖𝑗 = 𝑤𝑖𝑗 × 𝑟𝑖𝑗 (6)
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

We apply all the above-mentioned steps on 𝐼𝑛𝑉 𝑇 and 𝐼𝑚𝑉 𝑇 too

Step 4 - Determine the positive-ideal solution and negative-ideal in order to compute the TOPSIS-ranked intents list and similarly
solution. on 𝐻𝑛𝑉 𝑇 and 𝐻𝑚𝑉 𝑇 to compute the TOPSIS-ranked hardware
{( ) ( )} components list.
𝐴∗ = max 𝑣𝑖𝑗 ∣ 𝑗 ∈ 𝐽 , min 𝑣𝑖𝑗 ∣ 𝑗 ∈ 𝐽 ′ (7) 2. EDAS - Evaluation based on Distance from Average Solution
{( ) ( )} (EDAS) (Yalçin and Nuşin, 2019) is another commonly used
𝐴− = min 𝑣𝑖𝑗 ∣ 𝑗 ∈ 𝐽 , max 𝑣𝑖𝑗 ∣ 𝑗 ∈ 𝐽 ′ (8) MCDM technique. The output, i.e., the best alternative, of the
EDAS is determined on the basis of the distances of the alterna-
for 𝐽 = 1, 2, 3 … , 𝑛, where 𝐽 is associated with the benefit
tives from an average solution. Moreover, as the average solution
criteria. 𝐽 ′ = 1, 2, 3 … , 𝑛 where 𝐽 ′ is associated with the cost
is determined with the help of the arithmetic mean, the EDAS
criteria.
method proves to be quite efficient in dealing with stochastic
Step 5 - Calculate the separation measure. The separation of problems. The highest final normalized score ASi gives the best
each alternative from the positive ideal is given by: alternative of the proposed ones. The complete steps for an EDAS
√ application are as follows:
√ 𝑛 ( )2
√∑
𝑆𝑖 = √
∗
𝑣𝑖𝑗 − 𝑣∗𝑗 𝑗 = 1 (9) Step 1 - After developing the decision matrix, determine the
1 average solution according to all criteria as follows:
where i = 1,2, …, m. [ ]
𝐴𝑉 = 𝐴𝑉𝑗 l.:n (18)
Similarly, the separation of each alternative from the negative
ideal is given by: where,
√ ∑𝑚
∑( )2 𝑥𝑖𝑗
𝑖=1
−
𝑆𝑖 = 𝑣𝑖𝑗 − 𝑣−
𝑗 𝑗=1 (10) 𝐴𝑉𝑗 = (19)
𝑚
where i = 1,2, …, m. Step 2 - Calculate the positive distance matrix [𝑃 𝐷𝐴𝑖𝑗 ]𝑚×𝑛 from

Step 6 - Calculate the relative closeness to the ideal solution. The average and the negative distance matrix [𝑁𝐷𝐴𝑖𝑗 ]𝑚×𝑛 from the
relative closeness of 𝐴𝑖 with respect to 𝐴 * is defined as follows: average matrices according to the type of criteria (benefit or
cost) as follows:
( ) if 𝑗 th criterion is beneficial,
𝐶𝑖∗ = 𝑆𝑖− ∕ 𝑆𝑖∗ + 𝑆𝑖− , 0 ≤ 𝐶𝑖∗ ≤ 1 (11) ( ( ))
max 0, 𝑥𝑖𝑗 − 𝐴𝑉𝑗
where i = 1,2, …, m. 𝑃 𝐷𝐴𝑖𝑗 = , (20)
𝐴𝑉𝑗
We assumed permissions as 𝑖 (alternatives) and applications as ( ( ))
𝑗 (criteria). Because each application contributes equally to the max 0, 𝐴𝑉𝑗 − 𝑥𝑖𝑗
𝑁𝐷𝐴𝑖𝑗 = , (21)
decision-making process, we assign equal weights (𝑤𝑗 ) to all 𝐴𝑉𝑗
applications. To ensure that the summation of all weights is if 𝑗 th criterion is cost,
1, each application is assigned a weight of 1 divided by the ( ( ))
total number of applications, as highlighted in Eq. (12). This max 0, 𝐴𝑉𝑗 − 𝑥𝑖𝑗
𝑃 𝐷𝐴𝑖𝑗 = , (22)
means that each application now contributes proportionally to 𝐴𝑉𝑗
the overall assessment, reflecting their equal significance in the ( ( ))
max 0, 𝑥𝑖𝑗 − 𝐴𝑉𝑗
problem domain. 𝑁𝐷𝐴𝑖𝑗 = (23)
𝐴𝑉𝑗
1 ∑
𝑛
𝑤𝑗 = , 𝑤𝑗 = 1 (12) where 𝑃 𝐷𝐴𝑖𝑗 and 𝑁𝐷𝐴𝑖𝑗 denote the positive and negative dis-
𝑛 𝑗=1 tance of 𝑖th alternative from the average solution in terms of 𝑗th
The larger the 𝐶𝑖∗ value (preference score), the better the perfor- criterion, respectively.
mance of the alternatives. Step 3 - Determine the weighted sum of PDA and NDA (𝑆𝑃𝑖 and
𝑆𝑁𝑖 ) for all alternatives as follows:
Performance(𝑖) ∝ 𝐶𝑖∗ (13)
∑
𝑛
In our case, we applied TOPSIS on 𝑃 𝑛𝑉 𝑇 and 𝑃 𝑚𝑉 𝑇 vector tables 𝑆𝑃𝑖 = 𝑤𝑗 𝑃 𝐷𝐴𝑖𝑗 (24)
separately using the weights 𝑤 to compute the normal preference 𝑗=1
score (𝐶𝑛∗𝑖 values) and malware preference score (𝐶𝑚∗𝑖 values) ∑𝑛
𝑆𝑁𝑖 = 𝑤𝑗 𝑁𝐷𝐴𝑖𝑗 (25)
for each permission feature.
𝑗=1

𝐶𝑛∗𝑖 = TOPSIS(𝑃 𝑛𝑉 𝑇 , 𝑤), 𝑖 = 1, 2, … , 𝑚 (14) where 𝑤𝑗 is the weight of 𝑗th criterion.

𝐶𝑚∗𝑖 = TOPSIS(𝑃 𝑚𝑉 𝑇 , 𝑤), 𝑖 = 1, 2, … , 𝑚 (15) Step 4 - Normalize the values of 𝑆𝑃 and 𝑆𝑁 for all alternatives,
shown as follows:
Further, we calculate the difference (𝐷𝑖 ) between the malware 𝑆𝑃𝑖
and normal preference scores for each permission. 𝑁𝑆𝑃𝑖 = ( ), (26)
max𝑖 𝑆𝑃𝑖
𝐷𝑖 = 𝐶𝑚∗𝑖 − 𝐶𝑛∗𝑖 , 𝑖 = 1, 2, … , 𝑚 (16) 𝑆𝑁𝑖
𝑁𝑆𝑁𝑖 = 1 − ( ), (27)
max𝑖 𝑆𝑁𝑖
Note that the permission with the highest difference between
malware and normal preference score will be the best and most Step 5 - Calculate the appraisal score or preference score (𝐴𝑆)
preferred feature. Hence, in the last step, we rank the permis- for all alternatives as follows:
sions in decreasing order of 𝐷𝑖 values to obtain the TOPSIS-
1( )
ranked permissions list. 𝐴𝑆𝑖 = 𝑁𝑆𝑃𝑖 + 𝑁𝑆𝑁𝑖 , (28)
2
Rank(𝑖) = sort(𝐷𝑖 , descending) (17) where 0 ≤ 𝐴𝑆𝑖 ≤ 1.

9
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

The larger the 𝐴𝑆𝑖 value (preference score), the better the per- Algorithm 1 Proposed Malware Detection Algorithm
formance of the alternatives. 1: Input: 𝐹𝐿𝑖𝑠𝑡 ← Ranked feature List
2: Output: Best set of features with a higher detection rate
Performance(𝑖) ∝ 𝐴𝑆𝑖 (29) 3: 𝐵𝐹𝐿𝑖𝑠𝑡 ← Initialized as a copy of 𝐹𝐿𝑖𝑠𝑡
4: 𝐹𝑖 ← 𝑖th ranked feature in 𝐹𝐿𝑖𝑠𝑡
In our case, we applied EDAS on 𝑃 𝑛𝑉 𝑇 and 𝑃 𝑚𝑉 𝑇 vector tables 5: 𝑁 ← Number of features in 𝐹𝐿𝑖𝑠𝑡
separately using the weights 𝑤 to compute the normal preference 6: 𝐹𝑎𝑙𝑙 ← List of all features from testing dataset (non unique)
score (𝐴𝑆𝑛𝑖 values) and malware preference score (𝐴𝑆𝑚𝑖 values) 7: 𝐷𝑀𝑎𝑥 ← Maximum accuracy obtained, initialized to zero.
8: 𝐷𝐴𝑐𝑐 ← Accuracy obtained after each iteration.
for each permission feature while taking the same assumptions 9: for i ← 1 to N do
as TOPSIS, i.e., permissions as 𝑖 (alternatives) and applications 10: Copy 𝐹𝑁−𝑖+1 in 𝐹𝐿𝑖𝑠𝑡
as 𝑗 (criteria). 11: 𝐹𝑎𝑙𝑙 \{𝐹𝑁 upto 𝐹𝑁−𝑖+1 } // Delete all {𝐹𝑁 upto 𝐹𝑁−𝑖+1 } from
𝐹𝑎𝑙𝑙
𝐴𝑆𝑛𝑖 = EDAS(𝑃 𝑛𝑉 𝑇 , 𝑤), 𝑖 = 1, 2, … , 𝑚 (30) 12: Find 𝐷𝐴𝑐𝑐 using ML algorithms for features present in 𝐹𝑎𝑙𝑙
13: if 𝐷𝐴𝑐𝑐 > 𝐷𝑀𝑎𝑥 then
14: 𝐷𝐴𝑐𝑐 = 𝐷𝑀𝑎𝑥
15: 𝐵𝐹𝐿𝑖𝑠𝑡 \{𝐹𝑁 upto 𝐹𝑁−𝑖+1 } // Delete all {𝐹𝑁 upto 𝐹𝑁−𝑖+1 } from
𝐵𝐹𝐿𝑖𝑠𝑡
𝐴𝑆𝑚𝑖 = EDAS(𝑃 𝑚𝑉 𝑇 , 𝑤), 𝑖 = 1, 2, … , 𝑚 (31)
16: else exit
17: end if
Further, we calculate the difference (𝐷𝑖 ) between the malware
18: end for
and normal preference scores for each permission. 19: return 𝐷𝑀𝑎𝑥
20: return 𝐵𝐹𝐿𝑖𝑠𝑡
𝐷𝑖 = 𝐴𝑆𝑚𝑖 − 𝐴𝑆𝑛𝑖 , 𝑖 = 1, 2, … , 𝑚 (32)

Note that the permission with the highest difference between

malware and normal preference score will be the best and most
iterations 𝐵𝐹𝐿𝑖𝑠𝑡 will give us the best set of features to provide better
preferred feature. Hence, in the last step, we rank the permis-
detection accuracy.
sions in decreasing order of 𝐷𝑖 values to obtain the EDAS-ranked
permissions list. 𝐵𝐹𝐿𝑖𝑠𝑡 = 𝐹𝐿𝑖𝑠𝑡 (35)

Rank(𝑖) = sort(𝐷𝑖 , descending) (33)
We apply all the above-mentioned steps on 𝐼𝑛𝑉 𝑇 and 𝐼𝑚𝑉 𝑇 too
in order to compute the EDAS-ranked intents list and similarly
on 𝐻𝑛𝑉 𝑇 and 𝐻𝑚𝑉 𝑇 to compute the EDAS-ranked hardware
components list.
3.1.5. Machine learning and deep learning classifiers
We used several machine learning and deep learning classifiers (Wit-
ten and Frank, 2002) in our detection approach. We applied ten widely
used techniques, namely Decision Trees (DT), Random Forest (RF),
Bagging classifier (BC), Gaussian Naive Bayes (NB), Logistic Regres-
sion (LR), Support Vector Machine (SVM) as machine learning clas-
sifiers and Multilayer Perceptron (MLP), Convolutional Neural Net-
work (CNN), Artificial Neural Networks (ANN), Dense Neural Network
(DNN) as deep learning classifiers. For a detailed description of the
classifiers used in this study, please refer to the Appendix.
All experiments with these classifiers were performed using ten-
fold cross-validation (Fushiki, 2011). The code concludes by printing
the cross-validation results, including the accuracy scores for each fold
and the mean accuracy across all folds. This provides insights into the
model’s consistency and overall performance across diverse subsets of
the dataset.
3.2. Detection phase
In response to our RQ3, i.e., how to devise a detection approach
using the ranked features, this section describes our proposed detection
algorithm termed Algorithm 1. As discussed in the previous subsection,
we use the feature preference score computed separately for malware
and normal datasets from a particular MCDM technique to further rank
them in order of relevance. The higher the difference between the
preference score values, the higher the relevancy. We aim to find the
best set of features to provide better detection accuracy. 𝐹𝐿𝑖𝑠𝑡 represents
the ranked features, i.e., permissions, intents, or hardware components
in decreasing order of their computed difference.
𝐹𝐿𝑖𝑠𝑡 = {𝑓1 , 𝑓2 , … , 𝑓𝑁 } (34)
Since, we will need to modify the 𝐹𝐿𝑖𝑠𝑡 based on the performance of
the test set, we introduce another validation list with the name 𝐵𝐹𝐿𝑖𝑠𝑡
which will be initialized as a copy of 𝐹𝐿𝑖𝑠𝑡 only. Eventually, after all
In the first iteration of the algorithm, we select the bottom-ranked
feature from 𝐹𝐿𝑖𝑠𝑡 . We then execute machine learning and deep learning
algorithms on the testing data after eliminating the bottom-ranked
feature and considering only the rest of the features from the 𝐹𝐿𝑖𝑠𝑡 and
observe the detection accuracy, say 𝐷𝐴𝑐𝑐 . The maximum accuracy, say
𝐷𝑀𝑎𝑥 , is initialized to zero. At every iteration, we compare 𝐷𝐴𝑐𝑐 and
𝐷𝑀𝑎𝑥 . If the accuracy at the current iteration, i.e., 𝐷𝐴𝑐𝑐 , is higher than
𝐷𝑀𝑎𝑥 , we proceed towards the next iteration and we set 𝐷𝑀𝑎𝑥 as 𝐷𝐴𝑐𝑐
and at the same iteration only, we delete the bottom-ranked feature
from the 𝐵𝐹𝐿𝑖𝑠𝑡 leaving N-1 features in it. The following equations
summarize the above-mentioned procedure.
if 𝐷𝐴𝑐𝑐 > 𝐷𝑀𝑎𝑥 (36)
then 𝐷𝑀𝑎𝑥 = 𝐷𝐴𝑐𝑐 (37)
and 𝐵𝐹𝐿𝑖𝑠𝑡 = {𝑓1 , 𝑓2 , … , 𝑓𝑁−1 } (38)
In the next iteration, we select the bottom two ranked features and
find the detection accuracy on the testing data by eliminating these two
and considering the rest N-2 features only, i.e., 𝐷𝐴𝑐𝑐 for the current iter-
ation. Again, we compare the 𝐷𝑀𝑎𝑥 and 𝐷𝐴𝑐𝑐 , and if 𝐷𝐴𝑐𝑐 is higher than
𝐷𝑀𝑎𝑥 , we delete the bottom two ranked features from the 𝐵𝐹𝐿𝑖𝑠𝑡 and
proceed to the next iteration to select the bottom three ranked features.
The following equations summarize the above-mentioned procedure.
if 𝐷𝐴𝑐𝑐 > 𝐷𝑀𝑎𝑥 (39)
then 𝐷𝑀𝑎𝑥 = 𝐷𝐴𝑐𝑐 (40)
and 𝐵𝐹𝐿𝑖𝑠𝑡 = {𝑓1 , 𝑓2 , … , 𝑓𝑁−2 } (41)
The algorithm continues in the same manner and terminates when the
detection accuracy does not improve further. At a stage when 𝐷𝐴𝑐𝑐 is
not higher than 𝐷𝑚𝑎𝑥 , we return the 𝐷𝑀𝑎𝑥 and 𝐵𝐹𝐿𝑖𝑠𝑡 containing only
the best set of ranked features. The overall computational complexity of
the proposed algorithm can be approximated as O(N * (N + M + f(n))),
where 𝑁 is the number of features in the 𝐹𝐿𝑖𝑠𝑡 , M is the size of the 𝐹𝑎𝑙𝑙
list, and f(n) represents the time complexity of the ML algorithms used
for training and evaluation.
Algorithm 1 answers research question three, i.e., how to frame a
detection approach based on the ranking of features. We describe the
results obtained from the proposed approach in the next section.

10
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Table 4
Top 10 normal dominant and malware dominant permissions with their corresponding weights.
Normal dominant Permissions Weights alloted Malware dominant Permissions Weights alloted
RECEIVE 3 MOUNT_UNMOUNT_ FILESYSTEMS 1
BIND_GET_INSTALL_ REFERRER_SERVICE 3 READ_PHONE_STATE 1
C2D_MESSAGE 3 GET_TASKS 1
FOREGROUND_SERVICE 3 CHANGE_WIFI_STATE 1
BILLING 3 SYSTEM_ALERT_WINDOW 1
USE_FINGERPRINT 3 WRITE_SETTINGS 1
READ_GSERVICES 3 CHANGE_NETWORK_STATE 1
USE_BIOMETRIC 3 READ_LOGS 1
UPDATE_SHORTCUT 3 ACCESS_COARSE_LOCATION 1
BROADCAST_BADGE 3 ACCESS_WIFI_STATE 1

Table 5
Top 10 normal dominant and malware dominant intents with their corresponding weights.
Normal dominant Intents Weights alloted Malware dominant Intents Weights alloted
RECEIVE 3 USER_PRESENT 1
DEVICE_STORAGE_LOW 3 PACKAGE_REMOVED 1
DEVICE_STORAGE_OK 3 DEFAULT 1
LEANBACK_LAUNCHER 3 PACKAGE_ADDED 1
BATTERY_OKAY 3 VIEW 1
BATTERY_LOW 3 BROWSABLE 1
MEDIA_BUTTON 3 REGISTER 1
MY_PACKAGE_REPLACED 3 NOTIFICATION_RECEIVED_ PROXY 1
TIMEZONE_CHANGED 3 PushService 1
QUICKBOOT_POWERON 3 PUSH_TIME 1

Table 6
Top 10 normal dominant and malware dominant hardware components with their corresponding weights.
Normal dominant Hardware components Weights alloted Malware dominant Hardware components Weights alloted
touchscreen 3 camera 1
touchscreen.multitouch 3 Camera.autofocus 1
touchscreen.multitouch.distinct 3 nfc.hce 1
location.network 3 autofocus 1
location.GPS 3 camera.flash 1
location 3 camera2.full 1
telephony 3 usb.action.USB_STATE 1
screen.portrait 3 sensor.stepcounter 1
screen.landscape 3 sensor.stepdetector 1
vulkan 3 camera.setParameters 1

4. Feature ranking results
In this section, we present and discuss the feature ranking results
obtained using the proposed PHIGrader model. We point out that
we have separate datasets for training and testing. As described in
Section 3.1.1, there are 77,000 applications, each in the normal and
malware categories. Of these, we used 56,000 normal apps and 56,000
malware apps in the ranking phase. The remaining 21,000 normal
and 21,000 malware apps were used in the detection phase. We term
this dataset DATASET-1. In addition, we tested our approach on an-
other unknown dataset containing more recent and stealthier malware
samples detected between 2021 and 2022, named DATASET-2. In
the upcoming subsections, we first discuss the ranking obtained from
the two MCDM techniques individually, namely TOPSIS and EDAS,
after allotting weights to all three feature types. Thereafter, in the
subsequent sections, we discuss the detection results of DATASET-1 and
DATASET-2.
4.1. Allotting weights to the features
As discussed in Section 3.1.3, we first assign weights to features
based on their frequency difference in the malware and normal training
datasets. We note that we have three separate rankings, one each
for permissions, intents, and hardware components. Tables 4–6 sum-
marize the top ten normal dominant and malware dominant features
along with their assigned weights. As seen from Table 4, the normal
dominant permission named ‘‘RECEIVE’’ is assigned a weight of three
because it has the lowest frequency difference between the malware
and normal datasets, whereas the malware dominant permission named
‘‘MOUNT_UNMOUNT_FILESYSTEMS’’ had the highest frequency differ-
ence between the malware and normal datasets; hence, it was weighted
one. Similarly, we can acknowledge the weights of the other top 10
normal dominant and malware dominant permissions from the table.
As seen from Table 5, the normal dominant intent named ‘‘RE-
CEIVE’’ is assigned a weight of three because it has the lowest frequency
difference between the malware and normal datasets, whereas the
malware dominant intent named ‘‘USER_PRESENT’’ had the highest
frequency difference between the malware and normal datasets; hence,
it had a weight of one. Similarly, we can acknowledge the weights of
the other top 10 normal dominant and malware dominant intents from
the table.
Similarly, it can be seen from Table 6, the normal dominant hard-
ware component named ‘‘touchscreen’’ is assigned a weight of three be-
cause it has the lowest frequency difference between the malware and
normal datasets, whereas the malware dominant component named
‘‘camera’’ had the highest frequency difference between the malware
and normal dataset, hence, had a weight of one. Similarly, we can
acknowledge the weights of the other top 10 normal dominant and
malware dominant hardware components from the table.
4.2. Features ranking
In response to our RQ2, i.e., how to incorporate feature ranking,
this section presents the various techniques chosen by us to rank the
features in order of relevance. To obtain the preference score of each
feature, we separately applied the two MCDM techniques, TOPSIS and

11
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Table 7
Top 10 permissions ranked using TOPSIS.
Permissions Malware Preference score Normal Preference score Difference
UPDATE_APP_OPS_ STATS 0.995640016 0.994700764 0.000939252
USE_BIOMETRIC 0.999710875 0.999859006 −0.000148131
MAPS_RECEIVE 0.999401252 0.99984433 −0.000443078
READ_OWNER_DATA 0.997612157 0.998838311 −0.001226154
READ_USER_ DICTIONARY 0.997566566 0.999204898 −0.001638332
SEND_DOWNLOAD_ COMPLETED_INTENTS 0.995754181 0.997521968 −0.001767787
QUERY_ALL_ PACKAGES 0.99792082 0.999770741 −0.001849921
RECEIVE_WAP_PUSH 0.996069212 0.998509435 −0.002440223
BIND_GET_INSTALL_ REFERRER_SERVICE 0.996692437 0.999937243 −0.003244807
READ_SYNC_STATS 0.995959198 0.999400858 −0.00344166

Table 8
Top 10 intents ranked using TOPSIS.
Intents Malware Preference score Normal Preference score Difference
UNREGISTRATION 0.932365913 0.002912326 0.929454
ELECTION_RESULT_ V4 0.928431158 0 0.928431
webview 0.932733054 0.007804123 0.924929
PING_V4 0.921531166 0.002528772 0.919002
MEDIA_CHECKING 0.927302209 0.008587014 0.918715
COCKROACH 0.922930032 0.005779095 0.917151
action 0.921980242 0.006800472 0.91518
ACTION_RICHPUSH_ CALLBACK 0.91729704 0.004018638 0.913278
ACTION_VIEW_ DOWNLOADS 1 0.087523518 0.912476
ELECTION 0.919571962 0.007494131 0.912078

Table 9
Top 10 hardware components ranked using TOPSIS.
Hardware components Malware Preference score Normal Preference score Difference
faketouch.multitouch. jazzhand 1 0.000760768 0.999239
sensor.ambient_ temperature 1 0.000760768 0.999239
sensor.heartrate.ecg 1 0.000760768 0.999239
sensor.relative_humidity 1 0.000760768 0.999239
type.automotive 1 0.000760768 0.999239
portrait 1 0.001923007 0.998077
BLUETOOTH_ADMIN 1 0.002172686 0.997827
sensor.heartrate 1 0.002221286 0.997779
sensor. ACCELEROMETER 0.996798316 0 0.996798
type.watch 0.99626415 0 0.996264

EDAS, to the six vector tables (two for each feature type) developed for
permissions, intents, and hardware components. Furthermore, we used
the difference between the preference score of the features obtained us-
ing the malware and normal datasets to identify the most distinguishing
features.
Using the frequency-based MCDM approach mentioned above, we
answer research question two, i.e., how to rank the features to recog-
nize the most distinguishing and influential ones among them.
4.2.1. Feature ranking using TOPSIS
In this section, we discuss the ranking obtained on applying TOP-
SIS over permissions, intents, and hardware components individually.
Tables 7–9 summarize the top ten permissions, intents, and hard-
ware components respectively according to the ranking done using the
preference score obtained by TOPSIS.
Table 7 highlights that the permission named ‘‘UPDATE_APP_OPS_
STATS’’ is the most distinguishing permission with the highest differ-
ence between the malware and normal preference score according to
TOPSIS. Similarly, we can infer rankings of other permissions based on
their scores from the table. The permission named ‘‘INTERNET’’ had
the lowest preference score difference value of −0.9945 amongst all
permissions and hence, is the least distinguishing permission. Table 8
highlights that the intent named ‘‘UNREGISTRATION’’ is the most
distinguishing intent with the highest difference between the malware
and normal preference score according to TOPSIS. Similarly, we can
infer rankings of other intents based on their scores from the table.
The intent named ‘‘MAIN’’ had the lowest preference score difference
value of −0.9362 and hence, is the least distinguishing intent. In a sim-
ilar manner, Table 9 highlights that the hardware component named
‘‘faketouch.multitouch.jazzhand’’ is the most distinguishing hardware
component with the highest difference between the malware and nor-
mal preference score according to TOPSIS. Similarly, we can infer
rankings of other hardware components based on their scores from
the table. The hardware component named ‘‘camera’’ had the lowest
preference score difference value of 0.0470 amongst all hardware
components and hence, is the least distinguishing one.
4.2.2. Feature ranking using EDAS
In this section, we discuss the ranking obtained on applying EDAS
over permissions, intents and hardware components individually. Ta-
bles 10–12 summarize the top ten permissions, intents, and hard-
ware components respectively according to the ranking done using the
preference score obtained by EDAS.
Table 10 highlights that the permission named ‘‘READ_OWNER_
DATA’’ is the most distinguishing permission with the highest differ-
ence between the malware and normal preference score according to
EDAS. Similarly, we can infer rankings of other permissions based
on their scores from the table. The permission named ‘‘INTERNET’’
had the lowest preference score difference value of −0.9949 amongst
all permissions and hence, is the least distinguishing permission. Ta-
ble 11 highlights that the intent named ‘‘SEND_MULTIPLE’’ is the
most distinguishing intent with the highest difference between the
malware and normal preference score according to EDAS. Similarly,
we can infer rankings of other intents based on their scores from
the table. The intent named ‘‘MAIN’’ had the lowest preference score

12
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Table 10
Top 10 permissions ranked using EDAS.
Permissions Malware Preference score Normal Preference score Difference
READ_OWNER_DATA 0.988485224 0.000817483 0.987667742
SEND_DOWNLOAD_ COMPLETED_INTENTS 0.987399804 0.000148769 0.987251036
WRITE_OWNER_DATA 0.988159244 0.001161826 0.986997418
UPDATE_APP_OPS_ STATS 0.986864022 7.69131E−05 0.986787109
READ_USER_ DICTIONARY 0.987964382 0.001516245 0.986448136
DEVICE_POWER 0.987416607 0.001680802 0.985735805
READ_SYNC_STATS 0.987797896 0.002401552 0.985396344
RECEIVE_WAP_PUSH 0.985181748 0.000569173 0.984612576
RECEIVE_MCS_ MESSAGE 0.985653997 0.001409919 0.984244078
QUERY_ALL_ PACKAGES 0.996960967 0.012767359 0.984193608

Table 11
Top 10 intents ranked using EDAS.
Intents Malware Preference score Normal Preference score Difference
SEND_MULTIPLE 0.994820911 0.008634884 0.986186
webview 0.986137754 0.000184527 0.985953
MESSAGE_CLICKED 0.986222594 0.000342747 0.98588
MESSAGE_ARRIVED 0.986208426 0.000342747 0.985866
ELECTION_RESULT_ V4 0.984945278 0 0.984945
DATE_CHANGED 0.985482814 0.001746364 0.983736
action 0.983561978 0.000130295 0.983432
BATTERY_CHANGED 0.984495175 0.001219489 0.983276
MEDIA_CHECKING 0.983434556 0.000225724 0.983209
COCKROACH 0.982778387 8.94315E−05 0.982689

Table 12
Top 10 hardware components ranked using EDAS.
Hardware components Malware Preference score Normal Preference score Difference
faketouch.multitouch. jazzhand 1 2.56585E−05 0.999974342
sensor.ambient_ temperature 1 2.56585E−05 0.999974342
sensor.heartrate.ecg 1 2.56585E−05 0.999974342
sensor.relative_humidity 1 2.56585E−05 0.999974342
type.automotive 1 2.56585E−05 0.999974342
type.watch 0.999961715 0 0.999961715
sensor. ACCELEROMETER 0.999948631 0 0.999948631
BLUETOOTH_ADMIN 1 5.26423E−05 0.999947358
portrait 1 6.60416E−05 0.999933958
sensor.heartrate 1 7.62598E−05 0.99992374

difference value of −0.9993 and hence, is the least distinguishing
intent. In a similar manner, Table 12 highlights that the hardware
component named ‘‘faketouch.multitouch.jazzhand’’ is the most distin-
guishing hardware component with the highest difference between the
malware and normal preference score according to EDAS. Similarly,
we can infer rankings of other hardware components based on their
scores from the table. The hardware component named ‘‘camera’’ had
the lowest preference score difference value of −0.5659 amongst all
hardware components and hence, is the least distinguishing one.
In the subsequent sections, we present the detection results obtained
using the proposed model.
5. Detection results on DATASET-1
In this section, we discuss the detection results, i.e., the accuracy
obtained from our proposed approach over DATASET-1. To check the
efficiency of the three most commonly used features present in the
AndroidManifest file, we performed three experiments, considering (1)
permissions, (2) intents, and (3) hardware components, by applying the
two MCDM techniques individually. We will discuss these results in the
upcoming subsections, followed by a comparison of our proposed work
with other statistical tests.
5.1. Detection results with TOPSIS
In this section, we discuss the detection results, i.e., the accuracy
obtained from our proposed approach over the DATASET-1 while using
the rankings given by TOPSIS. Figs. 5–7 summarize the detection results
when we consider permissions, intents, and hardware components for
detection, respectively. We note that in the figures mentioned above,
we do not mention the names of all the ranked features because
the accuracy upon eliminating them lies within similar ranges to the
mentioned ones.
5.1.1. Detection results with permissions
Fig. 5 summarizes the detection results when we rank the per-
missions using the TOPSIS technique and further apply the proposed
detection algorithm. The figure can be understood as follows. While
simultaneously considering all permissions without using the TOP-
SIS ranking, we achieve 74.64% accuracy with the DT classifier. In
the first iteration, on eliminating the least ranked permission named
‘‘INTERNET’’ from the DATASET-1, we observe that we get 75.46%
accuracy with several machine learning classifiers. We call this the
first iteration and move on to the next iteration when we elimi-
nate the bottom two ranked permissions, i.e., ‘‘INTERNET’’ and ‘‘AC-
CESS_NETWORK_STATE’’ from the DATASET-1. In this iteration, we
obtain an accuracy of 76.47% with DT and RF classifiers. As discussed
in Algorithm 1, we proceed to the next iteration whenever the detection
accuracy increases from the previous iteration. Hence, we eliminate the
bottom three ranked permissions and repeat the entire procedure. The
procedure is terminated until we observe a potential decrease in the de-
tection accuracy. As shown in Fig. 5, we achieved the highest detection
accuracy of 98.01% with DT classifier upon eliminating 114 permis-
sions out of the total lot of 129, i.e., upon considering only the top 15
permissions namely ‘‘UPDATE_APP_OPS_STATS’’, ‘‘USE_BIOMETRIC’’,
‘‘MAPS_RECEIVE’’, ‘‘READ_OWNER_DATA’’, ‘‘READ_USER_ DICTIONA-

13
Y. Sharma and A. Arora
Fig. 5. Detection results with TOPSIS using permissions.
Fig. 6. Detection results with TOPSIS using intents.
RY’’, ‘‘SEND_DOWNLOAD_COMPLETED_INTENTS’’, ‘‘QUERY_ALL_PA-
CKAGES’’, ‘‘RECEIVE_WAP_PUSH’’, ‘‘BIND_GET_INSTALL_REFERRER_
SERVICE’’, ‘‘READ_SYNC_STATS’’, ‘‘MESSAGE’’, ‘‘WRITE_CALL_LOG’’,
‘‘BAIDU_LOCATION_SERVICE’’, ‘‘WRITE_OWNER_DATA’’, and ‘‘BADGE_
COUNT_READ’’ highest detection accuracy can be achieved. From the
next iteration, we observe that the detection accuracy starts decreasing.
Finally, we conclude that we obtain the highest accuracy of 98.01%
when we apply the proposed Algorithm 1 to permissions.
5.1.2. Detection results with intents
Next, we apply the proposed detection algorithm (Algorithm 1)
with intents ranked by TOPSIS. The algorithm provides the best in-
tents with higher accuracy as an output. Fig. 6 can be understood as
follows. While simultaneously considering all intents without using the
TOPSIS ranking, we achieve 67.19% accuracy with several machine
learning classifiers. In the first iteration, after eliminating the least
ranked intent named ‘‘MAIN’’ from the DATASET-1, we observe that
we obtain the same 67.19% accuracy. We call this the first iteration
and move on to the next iteration when we eliminate the bottom two
ranked intents, i.e., ‘‘MAIN’’ and ‘‘LAUNCHER’’ from the DATASET-1.
In this iteration, we obtain an accuracy of 68.79% with DT, RF, and
NB classifiers. As discussed in Algorithm 1, we proceed to the next
iteration whenever the detection accuracy increases from the previous
iteration. Hence, we eliminate the bottom three ranked intents and
repeat the entire procedure. The procedure is terminated until we
observe a potential decrease in the detection accuracy. As shown in
Fig. 6, we achieved the highest detection accuracy of 99.10% with DT
classifier upon eliminating 33 intents out of the total lot of 79, i.e., upon
14
Journal of Network and Computer Applications 232 (2024) 104021
considering the top 46 intents, some top ranked intents being ‘‘UN-
REGISTRATION’’, ‘‘ELECTION_RESULT_V4’’, ‘‘WEBVIEW’’, ‘‘PING_V4’’,
‘‘MEDIA_CHECKING’’.......‘‘PUSH_TIME’’, ‘‘PUSHSERVICE’’, ‘‘REPORT’’,
‘‘NOTIFICATION_RECEIVED_PROXY’’,‘‘REGISTER’’,etc., the highest de-
tection accuracy can be achieved. From the next iteration, we observe
that the detection accuracy starts decreasing. Finally, we conclude that
we obtain the highest accuracy of 99.10% when we apply the proposed
Algorithm 1 to the intents.
5.1.3. Detection results with hardware components
Next, we apply the proposed detection algorithm (Algorithm 1) with
the hardware components ranked by TOPSIS. The algorithm provides
the best hardware components with higher accuracy as an output.
Fig. 7 can be understood as follows. While considering all the hardware
components simultaneously without using the TOPSIS ranking, we
achieve 71.84% accuracy with several machine learning classifiers.
In the first iteration, after eliminating the least ranked hardware
component named ‘‘camera’’ from the DATASET-1, we observe that we
get 73.93% accuracy with the RF and BC classifiers. We call this the
first iteration and move on to the next iteration when we eliminate the
bottom two ranked hardware components, i.e., ‘‘camera’’ and ‘‘Cam-
era.autofocus’’ from the DATASET-1. In this iteration, we obtained an
accuracy of 75.55% with DT, RF, and BC classifiers. As discussed in
Algorithm 1, we proceed to the next iteration whenever the detection
accuracy increases from the previous iteration. Hence, we eliminate
the bottom three ranked hardware components and repeat the entire
procedure. The procedure is terminated until we observe a potential
decrease in the detection accuracy. As shown in Fig. 7, we achieved
Y. Sharma and A. Arora
Fig. 7. Detection results with TOPSIS using hardware components.
the highest detection accuracy of 91.67% with NB and LR classifiers
upon eliminating 69 hardware components out of the total lot of 88,
i.e., upon considering only the top 19 hardware components namely
‘‘faketouch.multitouch.jazzhand’’, ‘‘sensor.ambient_temperature’’, ‘‘sen-
sor.heartrate.ecg’’, ‘‘sensor.relative_humidity’’, ‘‘type.automotive’’, ‘‘po-
rtrait’’, ‘‘BLUETOOTH_ADMIN’’, ‘‘sensor.heartrate’’, ‘‘sensor.ACCELE-
ROMETER’’, ‘‘type.watch’’, ‘‘sensor.hifi_sensors’’, ‘‘faketouch.multito-
uch.distinct’’, ‘‘touchscreen.multitouch.jazzhand’’, ‘‘camera.capability.
manual_post_processing’’, ‘‘camera.capability.manual_sensor’’, ‘‘READ_
EXTERNAL_STORAGE’’, ‘‘RECORD_AUDIO’’, ‘‘camera.external’’
and‘‘opengles.aep’’, highest detection accuracy can be achieved. From
the next iteration, we observe that the detection accuracy starts de-
creasing. Finally, we conclude that we obtain the highest accuracy
of 91.67% when we apply the proposed Algorithm 1 to hardware
components.
5.2. Detection results with EDAS
In this section, we discuss the detection results, i.e., the accuracy
obtained from our proposed approach over DATASET-1 using the EDAS
rankings. Fig. 8, 9, and 10 summarize the detection results when we
consider permissions, intents, and hardware components for detection.
We note that in the figures mentioned above, we do not mention the
names of all the ranked features because the accuracy upon eliminating
them lies within similar ranges to the mentioned ones.
5.2.1. Detection results with permissions
Fig. 8 summarizes the detection results when we apply the proposed
algorithm to permissions ranked using the EDAS technique. The fig-
ure can be understood as follows. While considering all permissions
simultaneously without using the EDAS ranking, we achieve 74.64%
accuracy with the DT classifier. In the first iteration, on eliminating
the least ranked permission named ‘‘INTERNET’’ from the DATASET-
1, we observe that we get 75.46% accuracy with several machine
learning classifiers. We call this the first iteration and move on to
the next iteration when we eliminate the bottom two ranked per-
missions, i.e., ‘‘INTERNET’’ and ‘‘ACCESS_NETWORK_STATE’’ from the
DATASET-1. In this iteration, we obtain an accuracy of 76.47% with DT
and RF classifiers. As discussed in Algorithm 1, we proceed to the next
iteration whenever the detection accuracy increases from the previous
iteration. Hence, we eliminate the bottom three ranked permissions
and repeat the entire procedure. The procedure is terminated until we
observe a potential decrease in the detection accuracy. As shown in
Fig. 8, we achieved the highest detection accuracy of 87.34% with
BC classifier upon eliminating 120 permissions out of the total lot
of 129, i.e., upon considering only the top nine permissions namely
‘‘READ_OWNER_DATA’’, ‘‘SEND_DOWNLOAD_COMPLETED_INTENTS’’,
‘‘WRITE_OWNER_DATA’’, ‘‘UPDATE_APP_OPS_STATS’’, ‘‘READ_USER_
DICTIONARY’’, ‘‘DEVICE_POWER’’, ‘‘READ_SYNC_STATS’’, ‘‘RECEIVE_
WAP_PUSH’’ and ‘‘RECEIVE_MCS_MESSAGE’’, the highest detection
15
Journal of Network and Computer Applications 232 (2024) 104021
accuracy was achieved. From the next iteration, we observe that the
detection accuracy starts decreasing. Finally, we conclude that we
obtain the highest accuracy of 87.34% when we apply the proposed
Algorithm 1 to permissions.
5.2.2. Detection results with intents
Next, we apply the proposed detection algorithm (Algorithm 1)
with ranked intents using EDAS. The algorithm provides the best
intents with higher accuracy as an output. Fig. 9 can be understood
as follows. While simultaneously considering all intents without us-
ing the EDAS ranking, we achieve 67.19% accuracy with several
machine learning classifiers. In the first iteration, after eliminating
the least ranked intent named ‘‘MAIN’’ from the DATASET-1, we
observe that we obtain the same 67.19% accuracy. We call this the
first iteration and move on to the next iteration when we eliminate
the bottom two ranked intents, i.e., ‘‘MAIN’’ and ‘‘LAUNCHER’’ from
the DATASET-1. In this iteration, we obtain an accuracy of 68.79%
with DT, RF, and NB classifiers. As discussed in Algorithm 1, we
proceed to the next iteration whenever the detection accuracy increases
from the previous iteration. Hence, we eliminate the bottom three
ranked intents and repeat the entire procedure. The procedure is
terminated until we observe a potential decrease in the detection
accuracy. As shown in Fig. 9, we achieved the highest detection
accuracy of 90.82% with DT classifier upon eliminating 60 intents out
of the total lot of 79, i.e., upon considering only the top 19 intents
namely ‘‘SEND_MULTIPLE’’, ‘‘webview’’, ‘‘MESSAGE_CLICKED’’, ‘‘MES-
SAGE_ARRIVED’’, ‘‘ELECTION_RESULT_V4’’, ‘‘DATE_CHANGED’’, ‘‘ac-
tion’’, ‘‘BATTERY_CHANGED’’, ‘‘MEDIA_CHECKING’’, ‘‘COCKROACH’’,
‘‘PING_V4’’, ‘‘WALLPAPER_CHANGED’’, ‘‘ACTION_VIEW_DOWNLOA-
DS’’, ‘‘NEW_OUTGOING_CALL’’, ‘‘SCREEN_ON’’, ‘‘HEART_BEAT’’, ‘‘HE-
ADSET_PLUG’’, ‘‘FEEDBACK’’ and ‘‘MESSAGE’’, highest detection accu-
racy can be achieved. From the next iteration, we observe that the
detection accuracy starts decreasing. Finally, we conclude that we
obtain the highest accuracy of 90.82% when we apply the proposed
Algorithm 1 to the intents.
5.2.3. Detection results with hardware components
Next, we apply the proposed detection algorithm (Algorithm 1) with
the hardware components ranked by EDAS. The algorithm provides
the best hardware components with higher accuracy as an output.
Fig. 10 can be understood as follows. While considering all the hard-
ware components simultaneously without using the EDAS ranking, we
achieve 71.84% accuracy with several machine learning classifiers. In
the first iteration, after eliminating the least ranked hardware compo-
nent named ‘‘camera’’ from the DATASET-1, we observe that we get
73.93% accuracy with the RF and BC classifiers. We call this the first
iteration and move on to the next iteration when we eliminate the
bottom two ranked hardware components, i.e., ‘‘camera’’ and ‘‘Cam-
era.autofocus’’ from the DATASET-1. In this iteration, we obtain an
accuracy of 75.55% with DT, RF, and BC classifiers. As discussed in
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Fig. 8. Detection results with EDAS using permissions.

Fig. 9. Detection results with EDAS using intents.

Fig. 10. Detection results with EDAS using hardware components.

Algorithm 1, we proceed to the next iteration whenever the detection
accuracy increases from the previous iteration. Hence, we eliminate
the bottom three ranked hardware components and repeat the entire
procedure. The procedure is terminated until we observe a potential
decrease in the detection accuracy. As shown in Fig. 10, we achieved
the highest detection accuracy of 91.67% with RF, NB, and LR clas-
sifiers by eliminating 70 hardware components out of the total lot of
88, i.e., upon considering only the top 18 hardware components, the
highest detection accuracy can be achieved. From the next iteration,
we observe that the detection accuracy starts decreasing. Finally, we
conclude that we obtain the highest accuracy of 91.66% when we apply
the proposed Algorithm 1 to hardware components.
The compiled detection results when we apply the proposed algo-
rithm to DATASET-1 are summarized in Table 13. From the table, we
observe that we obtain the highest accuracy of 98.01% on using 15
permissions when we apply the proposed algorithm 1 to the ranking
described by TOPSIS. Similarly, the highest accuracy of 99.10% can
be achieved using 46 intents when we apply the proposed algorithm
1 to the ranking described by TOPSIS, whereas the ranking given by
EDAS results in the highest detection accuracy of 91.67% on using 18
hardware components. Hence, in response to research question four, we
conclude that the TOPSIS’ top-ranked 46 intents, i.e. intents give the
best detection accuracy results amongst the top three most commonly
used AndroidManifest file features.
At the same time, when no feature ranking of any type is used and
all the features are fed to the classifiers at once, i.e., on considering the
large initial vector of all the permissions, intents, or hardware compo-
nents simultaneously, we observe that the highest detection accuracy

16
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Table 13
Compiled Detection results (in %) on applying the proposed algorithm on DATASET-1.
Feature Ranking Method used Permissions Intents Hardware components
Number used Accuracy (in %) Number used Accuracy (in %) Number used Accuracy (in %)
TOPSIS 15 98.01 46 99.10 19 91.67
EDAS 09 87.34 19 90.82 18 91.67
No Ranking (All features used) 129 74.64 79 67.19 88 71.84

Table 14
Top 10 features ranked using Chi-square.
Permissions Intents Hardware Components
BIND_GET_INSTALL _REFERRER_SERVICE CONNECTION touchscreen
JPUSH_MESSAGE DaemonService touchscreen. multitouch
RESTART _PACKAGES NOTIFICATION _RECEIVED touchscreen. multitouch.distinct
SEND_SMS NOTIFICATION _OPENED location
RECEIVE_SMS MESSAGE _RECEIVED location.network
READ_SMS START_FROM _AGOO location.GPS
CHANGE _CONFIGURATION REPORT screen.portrait
RECEIVE_USER _PRESENT COMMAND telephony
BROADCAST _PACKAGE_INSTALL SERVICE vulkan
BROADCAST _PACKAGE_REPLACED ELECTION screen.landscape

Table 15
Top 10 features ranked using PCA.
Permissions Intents Hardware Components
READ_SYNC_STATS NOTIFICATION_ RECEIVED_ PROXY sensor.heartrate.ecg
WRITE_OWNER_DATA PUSH_TIME type.automotive
CHANGE_WIFI_STATE REPORT sensor.ambient _temperature
READ_OWNER_DATA PushService sensor.relative _humidity
WRITE_CALL_LOG REGISTER faketouch. multitouch. jazzhand
READ_USER _DICTIONARY NOTIFICATION _OPENED sensor.hifi _sensors
WRITE_SETTINGS MESSAGE _RECEIVED camera. capability. manual_post _processing
READ_SYNC_SETTINGS NOTIFICATION _RECEIVED camera. capability. manual_sensor
GET_TASKS CONNECTION camera.external
RECEIVE_WAP_PUSH DaemonService opengles.aep

Table 16
Top 10 features ranked using ECCD.
Permissions Intents Hardware Components
MOUNT_UNMOUNT _FILESYSTEMS USER _PRESENT autofocus
READ_PHONE_STATE PACKAGE _REMOVED service. GwBroadcast MonitorService
CHANGE_WIFI_STATE NOTIFICATION _RECEIVED _PROXY camera
GET_TASKS PushService screen.portrait
SYSTEM_ALERT _WINDOW PUSH_TIME fingerprint
READ_LOGS REPORT location
CHANGE_NETWORK _STATE REGISTER service. DevTransferService
WRITE_SETTINGS MESSAGE _RECEIVED touchscreen
ACCESS_WIFI_STATE NOTIFICATION _OPENED audio.pro
JPUSH_MESSAGE NOTIFICATION _RECEIVED location.network

obtained is merely 74.64%, 67.19%, and 71.84% respectively. Based
on the results and the low detection accuracy depicted by Table 13,
we answer our first research question that feature ranking helps us
eliminate irrelevant features that can hamper detection accuracy.
5.3. Comparison with other feature ranking techniques
We applied various MCDM techniques to rank the features. How-
ever, feature ranking techniques such as Chi-square (Sheen et al.,
2015), Principal Component Analysis (PCA) (Thiyagarajan et al., 2020),
and Entropy-based Category Coverage Difference (ECCD) (Varsha et al.,
2017) have been used in other studies for Android malware detection.
Next, we compare the performance of the ranking obtained using vari-
ous MCDM techniques with the Chi-square, Principal Component Anal-
ysis (PCA), and Entropy-based Category Coverage Difference (ECCD).
Tables 14–16 highlight the top 10 permissions, intents, and hard-
ware components ranked using Chi-square, Principal Component Anal-
ysis (PCA), and Entropy-based Category Coverage Difference (ECCD),
respectively.
For comparison, we ranked all three feature types, i.e., permis-
sions, intents, and hardware components, using Chi-square, Principal
Component Analysis (PCA), and Entropy-Based Category Coverage
Difference (ECCD) and further applied the proposed Algorithm 1 to
DATASET-1 to obtain their corresponding detection accuracies. First,
we apply the proposed detection algorithm to permissions after rank-
ing them using Chi-square, Principal Component Analysis (PCA), and
Entropy-based Category Coverage Difference (ECCD). The proposed
algorithm, i.e., Algorithm 1, will provide the best set of permissions
with higher accuracy as an output. As we can see from Table 17, we
obtain the highest accuracy of 97.70% with ten permissions, namely
‘‘BIND_GET_INSTALL_REFERRER_SERVICE’’, ‘‘JPUSH_MESSAGE’’, ‘‘RE-
START _PACKAGES’’, ‘‘SEND_SMS’’, ‘‘RECEIVE_SMS’’, ‘‘READ_SMS’’,
‘‘CHANGE_CONFIGURATION’’, ‘‘RECEIVE_USER_PRESENT’’, ‘‘BROAD-
CAST_PACKAGE_INSTALL’’, and ‘‘BROADCAST_PACKAGE_REPLACED’’,
when we rank the permissions with Chi-square. With PCA, we obtain
the highest accuracy of 87.56% again with five permissions, namely
‘‘READ_SYNC_STATS’’, ‘‘WRITE_OWNER_DATA’’, ‘‘CHANGE_WIFI_
STATE’’, ‘‘READ_OWNER_DATA’’, and ‘‘WRITE_CALL_LOG’’. Similarly,
we obtained the highest accuracy of 89.68% with only one permission

17
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Table 17
Comparison of best detection results (in %) from MCDM techniques with Chi-square, Principal Component Analysis (PCA) and Entropy-based Category Coverage Difference (ECCD)
on permissions.
Approach used Number of Detection accuracy using various machine learning
Permissions used and deep learning classifiers (in %)
DT RF BC NB LR SVC ANN MLP DNN CNN
TOPSIS (with our 15 98.01 88.73 88.73 68.28 69.66 73.12 63.70 41.54 60.86 74.25
approach)
Chi-square (Sheen et al., 10 97.70 97.70 97.70 92.16 97.70 97.58 74.54 97.58 97.58 75.54
2015)
PCA (Thiyagarajan et al., 05 87.56 87.54 87.53 78.76 78.76 78.76 74.61 75.43 78.50 78.54
2020)
ECCD (Varsha et al., 2017) 01 89.68 86.66 89.61 80.12 80.12 80.2 79.87 72.08 79.95 76.65

Table 18
Comparison of best detection results (in %) from MCDM techniques with Chi-square, Principal Component Analysis (PCA) and Entropy-based Category Coverage Difference (ECCD)
on intents.
Approach used Number of Detection accuracy using various machine learning
intents used and deep learning classifiers (in %)
DT RF BC NB LR SVC ANN MLP DNN CNN
TOPSIS (with our 46 99.10 95.43 94.71 95.45 88.20 88.59 88.26 74.19 88.68 88.45
approach)
Chi-square (Sheen et al., 02 95.35 95.35 95.35 95.35 95.35 95.30 65.32 95.30 95.30 85.56
2015)
PCA (Thiyagarajan et al., 09 95.43 95.41 95.41 88.93 88.54 88.50 88.61 88.40 88.40 89.33
2020)
ECCD (Varsha et al., 2017) 19 96.00 96.00 95.98 90.42 90.42 88.65 90.8 89.5 90.76 85.54

Table 19
Comparison of best detection results (in %) from MCDM techniques with Chi-square, Principal Component Analysis (PCA), and Entropy-based Category Coverage Difference (ECCD)
on hardware components.
Approach used Number of Detection accuracy using various machine learning
Hardware and deep learning classifiers (in %)
components used
DT RF BC NB LR SVC ANN MLP DNN CNN
EDAS (with our approach) 18 83.33 91.67 75.00 91.67 91.67 60.00 57.14 73.81 73.89 75.25
Chi-square (Sheen et al., 2015) 07 84.03 84.03 84.03 84.01 84.01 83.4 83.4 83.4 83.39 83.7
PCA (Thiyagarajan et al., 2020) 11 66.66 66.66 88.88 44.44 44.44 58 55.49 56.5 58.5 77.77
ECCD (Varsha et al., 2017) 15 90.50 90.50 90.50 86.89 90.42 82.64 85.82 80.53 84.44 84.44

namely ‘‘MOUNT_UNMOUNT_FILESYSTEMS’’ ranked using ECCD. Si-
multaneously, with our proposed approach on the permission ranking
given by TOPSIS, we obtained the highest accuracy of 98.01% with 15
permissions.
Next, we apply the proposed detection algorithm to intents, after
ranking them using Chi-square, Principal Component Analysis (PCA),
and Entropy-based Category Coverage Difference (ECCD). The pro-
posed algorithm, i.e., Algorithm 1, will provide the best set of intents
with higher accuracy as an output. The results are summarized in
Table 18, as it can be observed that we obtain the highest accu-
racy of 95.35% with only two intents, namely ‘‘CONNECTION’’ and
‘‘DaemonService’’ when we rank the intents with Chi-square. How-
ever, with PCA, we obtain the highest accuracy of 95.43% with nine
intents, namely ‘‘NOTIFICATION_RECEIVED_PROXY’’, ‘‘PUSH_TIME’’,
‘‘REPORT’’, ‘‘PushService’’, ‘‘REGISTER’’, ‘‘NOTIFICATION_OPENED’’,
‘‘MESSAGE_RECEIVED’’, ‘‘NOTIFICATION_RECEIVED’’, and ‘‘CONNEC-
TION’’. Similarly, we obtain the highest accuracy of 96% with 19
intents, namely ‘‘USER_PRESENT PACKAGE_REMOVED’’, ‘‘NOTIFICA-
TION_RECEIVED_PROXY’’, ‘‘PushService’’, ‘‘PUSH_TIME’’......, ‘‘UNREG-
ISTRATION’’, ‘‘SERVICE’’, ‘‘START_FROM_AGOO’’, ‘‘ELECTION’’ and
‘‘PING_V4’’ , when we rank the intents with ECCD. At the same time,
with our proposed approach on the intents ranking given by TOPSIS,
we obtain the highest accuracy of 99.10% with 46 intents. Hence, our
model using the MCDM techniques outperforms the Chi-square, Princi-
pal Component Analysis (PCA), and Entropy-based Category Coverage
Difference (ECCD) on intents.
Now, we apply the proposed detection algorithm to hardware
components, after ranking them using Chi-square, Principal Compo-
nent Analysis (PCA), and Entropy-based Category Coverage Difference
(ECCD). The proposed algorithm, i.e., Algorithm 1, will provide the
best set of hardware components with higher accuracy as an out-
put. The results are summarized in Table 19, as it can be observed
that we obtain the highest accuracy of 84.03% with seven hard-
ware components, namely ‘‘touchscreen’’, ‘‘touchscreen.multitouch’’,
‘‘touchscreen.multitouch.distinct’’, ‘‘location’’, ‘‘location.network’’, ‘‘lo-
cation.GPS’’ and ‘‘screen.portrait’’ when we rank the hardware compo-
nents with Chi-square. With PCA, we obtained the highest accuracy of
88.88% with 11 hardware components, namely ‘‘sensor.heartrate.ecg’’,
‘‘type.automotive’’, ‘‘sensor.ambient_temperature’’, ‘‘sensor.relative_hu-
midity’’, ‘‘faketouch.multitouch.jazzhand’’, ‘‘sensor.hifi_sensors’’, ‘‘cam-
era.capability.manual_post_processing’’, ‘‘camera.capability.manual_se-
nsor’’, ‘‘camera.external’’, ‘‘opengles.aep’’ and ‘‘camera.capability.raw’’.
Similarly, we obtain the highest accuracy of 90.50% with 15 hardware
components, namely ‘‘autofocus’’, ‘‘service.GwBroadcastMonitorServ-
ice’’, ‘‘camera’’, ‘‘screen.portrait’’, … .. ‘‘vulkan’’, ‘‘telephony’’, ‘‘vi-
brate’’, ‘‘touchscreen.multitouch.distinct’’, when we rank the hardware
components with ECCD. At the same time, with our proposed approach
on the hardware components ranking given by EDAS, we obtain the
highest accuracy of 91.67% with 18 hardware components. Hence, our
model using the MCDM techniques outperforms the Chi-square, Princi-
pal Component Analysis (PCA), and Entropy-based Category Coverage
Difference (ECCD) on hardware components too.
5.4. Comparison with other statistical tests
We applied various MCDM techniques to rank the features. How-
ever, statistical tests such as Mutual Information, Pearson Correlation

18
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Table 20
Top 10 features ranked using mutual information.
Permissions Intents Hardware Components
MOUNT_ UNMOUNT_ FILESYSTEMS USER_PRESENT touchscreen
READ_PHONE_ STATE PACKAGE_ REMOVED camera
CHANGE_WIFI_ STATE DEFAULT Camera.autofocus
GET_TASKS REGISTER touchscreen. multitouch. distinct
SYSTEM_ALERT_ WINDOW NOTIFICATION_ RECEIVED_ PROXY touchscreen. multitouch
READ_LOGS PACKAGE_ ADDED location
WRITE_SETTINGS PushService location.network
CHANGE_ NETWORK_ STATE PUSH_TIME location.GPS
ACCESS_WIFI_ STATE REPORT screen.portrait
ACCESS_COARSE_ LOCATION MESSAGE_ RECEIVED telephony

Table 21
Top 10 features ranked using Pearson correlation coefficient.
Permissions Intents Hardware Components
ACCESS action action.NEW_ PICTURE
BADGE_COUNT_ READ ACTION_ RICHPUSH_ type.watch
CALLBACK
ACCESS_ BACKGROUND_ LAUNCHER audio.low_latency
LOCATION
ACCESS_COARSE_ LOCATION ACTION_ SHUTDOWN biometrics
REQUEST_IGNORE_ BATTERY_ DAYDREAM moxx.mobility.
OPTIMIZATIONS android.hardware platform.
firebaseinitprovider
ACCESS_COARSE_ UPDATES BATTERY_ CHANGED camera.ar
BROADCAST_ PACKAGE_ ADDED CREATE_ SHORTCUT autofocus
ACCESS_GPS COCKROACH BLUETOOTH_ ADMIN
ACCESS_NETWORK_ STATE CLICK portrait
GOOGLE_PHOTOS SEND vibrate

Table 22
Top 10 features ranked using T-Test.
Permissions Intents Hardware Components
SEND_DOWNLOAD_ COMPLETED_INTENTS webview action.NEW_ PICTURE
UPDATE_APP_ OPS_STATS UNREGISTER type.watch
READ_OWNER_ DATA ELECTION_ RESULT_V4 BLUETOOTH_ ADMIN
READ_USER_ DICTIONARY action sensor. ACCELEROMETER
BAIDU_LOCATION_ SERVICE WALLPAPER_ CHANGED faketouch.multitouch. jazzhand
RECEIVE_WAP_ PUSH DATE_CHANGED portrait
MESSAGE MEDIA_ CHECKING sensor.ambient_ temperature
INSTALL_ PACKAGES COCKROACH sensor.heartrate.ecg
WRITE_MEDIA_ STORAGE PING_V4 sensor.relative_ humidity
WRITE_CALL_LOG NEW_OUTGOING_ CALL type.automotive

Coefficient, and T-Test have been used in other studies such as (Wang
et al., 2014) for Android malware detection. Hence, next, we compare
the performance of the ranking obtained using various MCDM tech-
niques with the mutual information, Pearson correlation coefficient,
and t-test. Tables 20–22 highlight the top ten permissions, intents,
and hardware components ranked with mutual information, Pearson
Correlation Coefficient, and T-Test, respectively.
For comparison, we ranked all three feature types, i.e., permis-
sions, intents, and hardware components, using mutual information,
Pearson Correlation Coefficient, and T-Test and further applied the
proposed Algorithm 1 on DATASET-1 to obtain their corresponding
detection accuracies. First, we apply the proposed detection algo-
rithm to permissions after ranking them using mutual information,
Pearson’s correlation coefficient, and t-test. The proposed algorithm,
i.e., Algorithm 1, will provide the best set of permissions with higher
accuracy as an output. As we can see from Table 23, we obtain
the highest accuracy of 89.48% with only one permission, namely
‘‘MOUNT_UNMOUNT_FILESYSTEMS’’, when we rank the permissions
with Mutual Information. With Pearson’s correlation coefficient, we
obtain the highest accuracy of 85.48% again with only one permission,
namely ‘‘ACCESS’’. Similarly, we obtained the highest accuracy of
88.93% with 65 permissions ranked using the t-test. Simultaneously,
with our proposed approach on the permission ranking given by
TOPSIS, we obtain the highest accuracy of 98.01% with 15 permissions.
Next, we apply the proposed detection algorithm to intents, after
ranking them using mutual information, Pearson’s correlation coef-
ficient, and T-Test. The proposed algorithm, i.e., Algorithm 1, will
provide the best set of intents with higher accuracy as an output.
The results are summarized in Table 24, as it can be observed that
we obtain the highest accuracy of 92.18% with only two intents,
namely ‘‘USER_PRESENT’’ and ‘‘PACKAGE_REMOVED’’ when we rank
the intents with Mutual Information. However, with Pearson’s cor-
relation coefficient, we obtain the highest accuracy of 89.27% with
two intents, namely ‘‘action’’ and ‘‘ACTION_RICHPUSH_CALLBACK’’.
Similarly, we obtain the highest accuracy of 94.57% with 51 intents,
namely ‘‘webview’’, ‘‘UNREGISTRATION’’, ‘‘ELECTION_RESULT_V4’’,
‘‘action’’, ‘‘WALLPAPER_CHANGED’’, … ‘‘NOTIFICATION_OPENED’’,
‘‘PUSH_TIME’’, ‘‘REPORT’’, ‘‘PushService’’, and ‘‘NOTIFICATION_
RECEIVED_PROXY’’, when we rank the intents with T-test. At the same
time, with our proposed approach on the intents ranking given by
TOPSIS, we obtain the highest accuracy of 99.10% with 46 intents.
Hence, our model using the MCDM techniques outperforms the Mutual
Information, Pearson Correlation Coefficient, and T-Test on intents.
Now, we apply the proposed detection algorithm to hardware
components, after ranking them using mutual information, Pearson’s
correlation coefficient, and T-Test. The proposed algorithm, i.e., Al-
gorithm 1, will provide the best set of hardware components with
higher accuracy as an output. The results are summarized in Ta-
ble 25, as it can be observed that we obtain the highest accuracy of

19
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Table 23
Comparison of best detection results (in %) from MCDM techniques with Mutual Information, Pearson Coefficient, and T-Test on permissions.
Approach used Number of Detection accuracy using various machine learning
Permissions used and deep learning classifiers (in %)
DT RF BC NB LR SVC ANN MLP DNN CNN
TOPSIS (with our approach) 15 98.01 88.73 88.73 68.28 69.66 73.12 63.70 41.54 60.86 74.25
Mutual Information (Wang et al., 2014) 01 89.68 89.67 89.62 80.12 80.12 80.20 79.87 72.08 79.95 79.65
Correlation Coefficient (Wang et al., 2014) 01 85.48 85.42 85.43 72.66 72.66 72.66 73.26 65.49 73.1 72.76
T-Test (Wang et al., 2014) 65 88.93 88.92 88.92 83.45 83.45 83.60 83.15 82.86 83.26 83.08

Table 24
Comparison of best detection results (in %) from MCDM techniques with Mutual Information, Pearson Coefficient, and T-Test on intents.
Approach used Number of Detection accuracy using various machine learning
Intents used and deep learning classifiers (in %)
DT RF BC NB LR SVC ANN MLP DNN CNN
TOPSIS (with our approach) 46 99.10 95.43 94.71 95.45 88.20 88.59 88.26 74.19 88.68 88.45
Mutual Information (Wang et al., 2014) 02 92.17 92.18 92.12 80.24 79.58 80.90 79.36 80.46 80.51 80.75
Correlation Coefficient (Wang et al., 2014) 02 89.27 89.24 89.11 63.67 63.67 63.66 63.02 60.81 60.87 63.38
T-Test (Wang et al., 2014) 51 94.56 94.57 94.54 87.44 87.44 85.69 85.99 80.80 60.87 87.30

Table 25
Comparison of best detection results (in %) from MCDM techniques with Mutual Information, Pearson Coefficient, and T-Test on hardware components.
Approach used Number of Detection accuracy using various machine learning
Hardware and deep learning classifiers (in %)
components used
DT RF BC NB LR SVC ANN MLP DNN CNN
EDAS (with our approach) 18 83.33 91.67 75.00 91.67 91.67 60.00 57.14 73.81 73.89 75.25
Mutual Information (Wang et al., 2014) 01 74.05 74.05 74.05 73.56 74.05 74.04 74.64 74.48 74.49 76.49
Correlation Coefficient (Wang et al., 2014) 07 91.67 91.67 91.67 48.92 86.02 91.67 54.84 54.91 63.04 53.69
T-Test (Wang et al., 2014) 02 91.66 91.66 91.66 83.33 83.33 83.33 57.58 67.99 57.00 66.66

76.49% with only one hardware component, namely ‘‘touchscreen’’
when we rank the hardware components with mutual information.
With both Pearson’s correlation coefficient and the T-test, we obtained
the highest accuracy of 91.67% with seven hardware components,
namely ‘‘action.NEW_PICTURE’’, ‘‘type.watch’’, ‘‘audio.low_latency’’,
‘‘biometrics’’, ‘‘moxx.mobility.android.hardwareplatform. firebaseinit-
provider’’, ‘‘camera.ar’’ and ‘‘autofocus’’, and two components, namely
‘‘action.
NEW_PICTURE’’ and ‘‘type.watch’’, respectively. We observe that in
the case of hardware components, our proposed MCDM techniques
provide the same accuracy as with Pearson’s coefficient and the T-test.
However, our model outperforms other statistical tests for permissions
and intents.
6. Detection results on DATASET-2
The applications in DATASET-1 are dated from 2016 to 2022. In the
following subsections, we discuss the results obtained by testing our
proposed Algorithm 1 over a new and more recent dataset, i.e., 2000
malicious applications downloaded from Androzoo that were detected
between 2021 and 2022. To check the efficiency of the three most
commonly used features in the AndroidManifest file, we again perform
three experiments, considering (1) permissions, (2) intents, and (3)
hardware components, by applying the two MCDM techniques indi-
vidually, but this time on DATASET-2. We discuss these results in
upcoming subsections.
6.1. Detection results with TOPSIS
In this section, we discuss the detection results, i.e., the accuracy
obtained from our proposed approach over DATASET-2 while using the
rankings given by TOPSIS. Figs. 11–13 summarize the detection results
when we consider permissions, intents, and hardware components for
detection. We note that in the figures mentioned above, we do not
mention the names of all the ranked features because the accuracy upon
eliminating them lies within similar ranges to the mentioned ones.
6.1.1. Detection results with TOPSIS using permissions
Fig. 11 can be understood as follows. While simultaneously consid-
ering all permissions without using the TOPSIS ranking, we achieve
70.79% accuracy with the DT and RF classifiers. In the first iteration,
on eliminating the least ranked permission named ‘‘INTERNET’’ from
the DATASET-2, we observe that we get 71.75% accuracy. We call
this the first iteration and move on to the next iteration when we
eliminate the bottom two ranked permissions, i.e., ‘‘INTERNET’’ and
‘‘ACCESS_NETWORK_STATE’’ from DATASET-2. In this iteration, we
obtain an accuracy of 72.33% with the RF classifier. As discussed in
Algorithm 1, we proceed to the next iteration whenever the detection
accuracy increases from the previous iteration. Hence, we eliminate the
bottom three ranked permissions and repeat the entire procedure. The
procedure is terminated until we observe a potential decrease in the
detection accuracy. As shown in Fig. 11, we achieved the highest de-
tection accuracy of 87.89% with BC classifier upon eliminating 123 per-
missions out of the total lot of 129, i.e., by considering only the top six
permissions namely ‘‘UPDATE_APP_OPS_STATS’’, ‘‘USE_BIOMETRIC’’,
‘‘MAPS_RECEIVE’’, ‘‘READ_OWNER_DATA’’, ‘‘READ_USER_DICTIONA-
RY’’, ‘‘SEND_DOWNLOAD_COMPLETED_INTENTS’’ and ‘‘QUERY_ALL_
PACKAGES’’, the highest detection accuracy was achieved. From the
next iteration, we observe that the detection accuracy starts decreasing.
Finally, we conclude that we obtain the highest accuracy of 87.89%
when we apply the proposed Algorithm 1 to permissions.
6.1.2. Detection results with TOPSIS using intents
Next, we apply the proposed detection algorithm (Algorithm 1)
with ranked intents using TOPSIS. The algorithm provides the best
intents with higher accuracy as an output. Fig. 12 can be understood
as follows. While considering all intents simultaneously without using
the TOPSIS ranking, we achieve 65.35% accuracy with RF. In the first
iteration, after eliminating the least ranked intent named ‘‘MAIN’’ from
the DATASET-2, we observe that we get 65.97% accuracy with several
machine learning classifiers. We call this the first iteration and move on
to the next iteration when we eliminate the bottom two ranked intents,
i.e., ‘‘MAIN’’ and ‘‘LAUNCHER’’ from the DATASET-1. In this iteration,

20
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Fig. 11. Detection results with TOPSIS using permissions.

Fig. 12. Detection results with TOPSIS using intents.

Fig. 13. Detection results with TOPSIS using hardware components.

we obtain an accuracy of 67.05% with DT, RF, and NB classifiers. As
discussed in Algorithm 1, we proceed to the next iteration whenever
the detection accuracy increases from the previous iteration. Hence,
we eliminate the bottom three ranked intents and repeat the entire
procedure. The procedure is terminated until we observe a potential
decrease in the detection accuracy. As shown in Fig. 12, we achieved
the highest detection accuracy of 95.85% with RF classifier upon
eliminating 33 intents out of the total lot of 79, i.e., upon considering
only the top 46 intents, the highest detection accuracy can be achieved.
From the next iteration, we observe that the detection accuracy starts
decreasing. Finally, we conclude that we obtain the highest accuracy
of 95.85% when we apply the proposed Algorithm 1 to the intents.
6.1.3. Detection results with TOPSIS using hardware components
Next, we apply the proposed detection algorithm (Algorithm 1)
with the hardware components ranked by TOPSIS. The algorithm
provides the best hardware components with higher accuracy as an
output. Fig. 13 can be understood as follows. While considering all
the hardware components simultaneously without using the TOPSIS
ranking, we achieve 65.39% accuracy with the BC machine learning
classifier. In the first iteration, after eliminating the least ranked
hardware component named ‘‘camera’’ from the DATASET-2, we ob-
serve that we get 66.45% accuracy with the BC classifier. We call
this the first iteration and move on to the next iteration when we
eliminate the bottom two ranked hardware components, i.e., ‘‘camera’’
and ‘‘Camera.autofocus’’ from the DATASET-2. In this iteration, we
obtain an accuracy of 67.90% with the RF classifier. As discussed in
Algorithm 1, we proceed to the next iteration whenever the detection
accuracy increases from the previous iteration. Hence, we eliminate
the bottom three ranked hardware components and repeat the entire
procedure. The procedure is terminated until we observe a potential

21
Y. Sharma and A. Arora
Fig. 14. Detection results with EDAS using permissions.
Fig. 15. Detection results with EDAS using intents.
decrease in the detection accuracy. As shown in Fig. 13, we achieved
the highest detection accuracy of 94.44% with DT, BC and RF classifiers
upon eliminating 72 hardware components out of the total lot of 88,
i.e., upon considering only the top 16 hardware components namely
‘‘faketouch.multitouch.jazzhand’’, ‘‘sensor.ambient_temperature’’, ‘‘sen-
sor.heartrate.ecg’’, ‘‘sensor.relative_humidity’’, ‘‘type.automotive’’, ‘‘por-
trait’’, ‘‘BLUETOOTH_ADMIN’’, ‘‘sensor.heartrate’’, ‘‘sensor.ACCELER-
OMETER’’, ‘‘type.watch’’..... ‘‘faketouch.multitouch.distinct’’, ‘‘touch-
screen.multitouch.jazzhand’’, ‘‘camera.capability.manual_post_proces-
sing’’, ‘‘camera.capability.manual_sensor’’ and ‘‘READ_EXTERNAL_STO-
RAGE’’, highest detection accuracy can be achieved. From the next
iteration, we observe that the detection accuracy starts decreasing.
Finally, we conclude that we obtain the highest accuracy of 94.44%
when we apply the proposed Algorithm 1 to hardware components.
6.2. Detection results with EDAS
In this section, we discuss the detection results, i.e., the accuracy
obtained from our proposed approach over DATASET-2 while using the
rankings given by EDAS. Figs. 14–16 summarize the detection results
when we consider permissions, intents, and hardware components for
detection. We note that in the figures mentioned above, we do not
mention the names of all the ranked features because the accuracy upon
eliminating them lies within similar ranges to the mentioned ones.
6.2.1. Detection results with EDAS using permissions
Fig. 14 can be understood as follows. While simultaneously con-
sidering all permissions without using the EDAS ranking, we achieve
70.79% accuracy with the DT and RF classifiers. In the first itera-
tion, on eliminating the least ranked permission named ‘‘INTERNET’’
from the DATASET-2, we observe that we get 71.75% accuracy. We
call this the first iteration and move on to the next iteration when
we eliminate the bottom two ranked permissions, i.e., ‘‘INTERNET’’
22
Journal of Network and Computer Applications 232 (2024) 104021
and ‘‘ACCESS_NETWORK_STATE’’ from the DATASET-2. In this iter-
ation, we obtain an accuracy of 72.33% with the RF classifier. As
discussed in Algorithm 1, we proceed to the next iteration when-
ever the detection accuracy increases from the previous iteration.
Hence, we eliminate the bottom three ranked permissions and re-
peat the entire procedure. The procedure is terminated until we ob-
serve a potential decrease in the detection accuracy. As shown in
Fig. 14, we achieved the highest detection accuracy of 88.67% with
DT classifier upon eliminating 120 permissions out of the total lot
of 129, i.e., upon considering only the top nine permissions namely
‘‘READ_OWNER_DATA’’, ‘‘SEND_DOWNLOAD_COMPLETED_INTENTS’’,
‘‘WRITE_OWNER_DATA’’, ‘‘UPDATE_APP_OPS_STATS’’, ‘‘READ_USER_
DICTIONARY’’, ‘‘DEVICE_POWER’’, ‘‘READ_SYNC_STATS’’, ‘‘RECEIVE_
WAP_PUSH’’ and ‘‘RECEIVE_MCS_MESSAGE’’, the highest detection
accuracy was achieved. From the next iteration, we observe that the
detection accuracy starts decreasing. Finally, we conclude that we
obtain the highest accuracy of 88.67% when we apply the proposed
Algorithm 1 to permissions.
6.2.2. Detection results with EDAS using intents
Next, we apply the proposed detection algorithm (Algorithm 1)
with ranked intents using EDAS. The algorithm provides the best
intents with higher accuracy as an output. Fig. 15 can be under-
stood as follows. While considering all intents simultaneously without
using the EDAS ranking, we achieve 65.35% accuracy with RF. In
the first iteration, after eliminating the least ranked intent named
‘‘MAIN’’ from the DATASET-2, we observe that we get 65.97% ac-
curacy with several machine learning classifiers. We call this the
first iteration and move on to the next iteration when we eliminate
the bottom two ranked intents, i.e., ‘‘MAIN’’ and ‘‘LAUNCHER’’ from
the DATASET-2. In this iteration, we obtain an accuracy of 67.05%
with DT, RF, and NB classifiers. As discussed in Algorithm 1, we
proceed to the next iteration whenever the detection accuracy increases
Y. Sharma and A. Arora
Fig. 16. Detection results with EDAS using hardware components.
Table 26
Compiled Detection results (in %) on applying the proposed algorithm on DATASET -2.
Feature ranking method used Permissions
Number Accuracy (in %)
TOPSIS 06 87.89
EDAS 09 88.67
No Ranking (All features used) 129 70.79
from the previous iteration. Hence, we eliminate the bottom three
ranked intents and repeat the entire procedure. The procedure is
terminated until we observe a potential decrease in the detection
accuracy. As shown in Fig. 15, we achieved the highest detection
accuracy of 93.72% with DT classifier upon eliminating 60 intents out
of the total lot of 79, i.e., upon considering only the top 19 intents
namely ‘‘SEND_MULTIPLE’’, ‘‘webview’’, ‘‘MESSAGE_CLICKED’’, ‘‘MES-
SAGE_ARRIVED’’, ‘‘ELECTION_RESULT_V4’’, ‘‘DATE_CHANGED’’, ‘‘ac-
tion’’, ‘‘BATTERY_CHANGED’’, ‘‘MEDIA_CHECKING’’, ‘‘COCKROACH’’,
‘‘PING_V4’’, ‘‘WALLPAPER_CHANGED’’, ‘‘ACTION_VIEW_DOWNLO-
ADS’’, ‘‘NEW_OUTGOING_CALL’’, ‘‘SCREEN_ON’’, ‘‘HEART_BEAT’’,
‘‘HEADSET_PLUG’’, ‘‘FEEDBACK’’ and ‘‘MESSAGE’’, highest detection
accuracy can be achieved. From the next iteration, we observe that
the detection accuracy starts decreasing. Finally, we conclude that we
obtain the highest accuracy of 93.72% when we apply the proposed
Algorithm 1 on intents.
6.2.3. Detection results with EDAS using hardware components
Next, we apply the proposed detection algorithm (Algorithm 1) with
the hardware components ranked by EDAS. The algorithm provides
the best hardware components with higher accuracy as an output.
Fig. 16 can be understood as follows. While considering all the hard-
ware components simultaneously without using the EDAS ranking,
we achieve 65.39% accuracy with BC machine learning classifiers.
In the first iteration, after eliminating the least ranked hardware
component named ‘‘camera’’ from the DATASET-2, we observe that
we get 66.45% accuracy with the BC classifier. We call this the first
iteration and move on to the next iteration when we eliminate the
bottom two ranked hardware components, i.e., ‘‘camera’’ and ‘‘Cam-
era.autofocus’’ from the DATASET-2. In this iteration, we obtain an
accuracy of 67.90% with the RF classifier. As discussed in Algorithm
1, we proceed to the next iteration whenever the detection accuracy
increases from the previous iteration. Hence, we eliminate the bottom
three ranked hardware components and repeat the entire procedure.
The procedure is terminated until we observe a potential decrease
in the detection accuracy. As shown in Fig. 16, we achieved the
highest detection accuracy of 94.44% with DT, RF and BC classifiers
upon eliminating 71 hardware components out of the total lot of 88,
i.e., upon considering only the top 17 hardware components namely
Journal of Network and Computer Applications 232 (2024) 104021
Intents Hardware components
Number used Accuracy (in %) Number used Accuracy (in %)
46 95.85 16 94.44
19 93.72 17 94.44
79 65.35 88 65.39
‘‘faketouch.multitouch.jazzhand’’, ‘‘sensor.ambient_temperature’’, ‘‘sen-
sor.heartrate.ecg’’, ‘‘sensor.relative_humidity’’, ‘‘type.automotive’’, ‘‘ty-
pe.watch’’, ‘‘sensor.ACCELEROMETER’’, ‘‘BLUETOOTH_ADMIN’’, ‘‘por-
trait’’, ‘‘’’sensor.heartrate’’, ‘‘faketouch.multitouch.distinct’’, ‘‘touchscr-
een.multitouch.jazzhand’’, ‘‘moxx.mobility.android.hardwareplatform.
firebaseinitprovider’’, ‘‘sensor.hifi_sensors’’, ‘‘camera.capability.manual_
post_processing’’, ‘‘camera.capability.manual_sensor’’ and ‘‘READ_EXT-
ERNAL_STORAGE’’, highest detection accuracy can be achieved. From
the next iteration, we observe that the detection accuracy starts de-
creasing. Finally, we conclude that we obtain the highest accuracy
of 94.44% when we apply the proposed Algorithm 1 to hardware
components.
The compiled detection results when we apply the proposed al-
gorithm to DATASET-2 are summarized in Table 26. From the table,
we observe that we obtain the highest accuracy of 88.67% using nine
permissions when we apply the proposed algorithm 1 to the ranking
formulated by EDAS. Similarly, the highest accuracy of 95.85% can
be achieved using 46 intents when we apply the proposed algorithm
1 to the ranking formulated by TOPSIS, whereas the ranking given
by TOPSIS results in the highest detection accuracy of 94.44% using
16 hardware components. At the same time, when no feature rank-
ing of any type is used and all features are fed to the classifiers at
once, i.e., on simultaneously considering all permissions, intents, or
hardware components, we observe that the highest detection accuracy
obtained is merely 70.79%, 65.35%, and 65.39% respectively. Hence,
in response to research question four, we conclude that TOPSIS’ top-
ranked 46 intents, i.e., intents, give the best detection accuracy of
95.85% in the case of the unknown dataset. We also conclude that
the TOPSIS technique provides relatively better detection results than
the ranking obtained using EDAS. The working of TOPSIS involves
finding an alternative that is closest to the positive ideal solution and
farthest from the negative ideal solution whereas EDAS aims to find the
deviation from the average point. Due to this reason, despite TOPSIS’s
and EDAS’s numerous advantages, TOPSIS outperforms EDAS in terms
of detection accuracy. In other words, if the data does not follow a
normal distribution, EDAS might be less suitable which is definitely
not a pre-requisite for our irregularly distributed data. Hence, TOPSIS’s
better performance during the ranking of features is justifiable.
23
Y. Sharma and A. Arora Journal of Network and Computer Applications 232 (2024) 104021

Table 27
Comparison of proposed work with the existing literature based on malware detection using permissions, intents or hardware components.
Related work Feature selection/Feature ranking Dataset size Detection
technique used accuracy (in %)
Normal Malware
Wang et al. (2014) Permissions ranking with Mutual 310,926 4,868 94.62
Information, Correlation Coefficient and
T-test
Li et al. (2018) Permissions ranking based on frequency 310,926 62,838 93.62
Chaudhary and Masood (2023) Chi-square as a feature reduction 5065 426 96.4
technique
Mahindru and Sangal (2022) Feature selection using Chi-square, Gain 5,00,000 98.2
Ratio, Filtered Subset selection,
Information feature, LR analysis, PCA
Arp et al. (2014) Pattern analyzing via joint vector space 123,453 5,560 94
Feldman et al. (2014) ML-based classification model 307 307 90
Arora et al. (2019) Normal and malicious graphs of 7,533 7,533 95.44
permission pairs
Talha et al. (2015) Risk score calculated for each app 1,853 6,909 88.28
Shang et al. (2018) Naive Bayes and Pearson Correlation 945 1,725 86.54
Coefficient
Tchakounté et al. (2019) Sequence alignment based similarity 534 534 79.58
score
Khariwal et al. (2020) Raked features using Information gain 1,414 1,714 94.73
PHIGrader (Proposed Model) Feature Ranking with Frequency-based 77,000 77,000 99.10
TOPSIS method

7. Discussion cannot accomplish independently. In this way, they perform malicious

In the upcoming subsections, we compare the performance of our
proposed model with some existing literature works in the field of
Android malware detection, followed by discussing a few limitations
of our proposed approach.
7.1. Comparison with other related works
Table 27 annotates the performance of our proposed model with
some existing literature works in the field of Android malware de-
tection that have used permissions, intents, or hardware components
as features. As shown in the table, our work outperforms all these
studies in terms of detection accuracy. If we take a closer look at some
of the studies, we observe that researchers have ranked the features
based on frequency or with tests such as Mutual Information and
Pearson Correlation Coefficient in the past. Other studies have used
ML-based feature selection techniques, whereas some authors have
formed permission pairs for Android malware detection. Only three
studies, Li et al. (2018), Arp et al. (2014) and Wang et al. (2014),
have used a larger number of normal applications in their analysis
than ours. However, the dataset size for malware apps is still relatively
small. Moreover, our work outperforms them in terms of detection
accuracy. Hence, our proposed model is better than many state-of-
the-art techniques presented in the literature for Android malware
detection.
7.2. Limitations
In this section, we elucidate a few limitations of the proposed
approach. In simple words, our model aims and successfully ranks fea-
tures such as permissions, intents, and hardware components to detect
Android malware without actually executing the code of an application;
hence, the model falls under the category of static detection. Conse-
quently, our model has the same shortcomings as any static detection
model. Although static techniques prove to be quite efficient in terms
of ease during the extraction of features as well as in terms of expenses,
they still fall short when dealing with advanced malware behaviors
such as code obfuscation and dynamic code loading. Application collu-
sion is an emerging threat to Android-based devices that seem almost
immune to static feature-based detection systems. In app collusion, two
or more Android apps collude to perform a malicious action that they
tasks without displaying malware behavior. As a result, some stealthier
malware might evade the kind of detection proposed by our model.
Hence, we will work on combining the merits of dynamic analysis and
some safe systems for colluding apps with the shortcomings of static
analysis to form a much more efficient malware detection system in
our future work. Additionally, some of the techniques in the literature
have focused on Android malware family/category classification such
as Chakraborty et al. (2017), Elish et al. (2022), Fan et al. (2018), Sun
et al. (2021), Li et al. (2024), Mercaldo and Santone (2021), Qiao et al.
(2022) and Wu et al. (2022). In this work, however, we did not aim
for malware family classification. Hence, we will aim to enhance the
capabilities of our model in our future work by including malware
family classification in addition to malware detection.
8. Conclusion and future work
In this study, we aimed to evaluate the efficiency of the top three
most commonly used static features from the AndroidManifest file when
used for Android malware detection. We first assigned weights to
features based on their frequency difference in the malware and normal
training datasets. Subsequently, we ranked the three weighted feature
sets, i.e., permissions, intents, and hardware components, by applying
TOPSIS and EDAS multi-criteria decision-making techniques in order
of preference. Finally, we proposed a novel algorithm to identify the
best set of features and the best type of feature among them. Our
experimental results indicate that intents rank first in terms of per-
formance as a feature for Android malware detection. Furthermore,
the results showed that TOPSIS, among the two proposed frequency-
based MCDM techniques, gives an adequate detection accuracy of
99.10% with 46 intents. Moreover, our experiments indicate that the
proposed frequency-based MCDM approach gives us better accuracy
than the popularly used feature ranking methods such as Chi-square,
Principal Component Analysis (PCA), Entropy-based Category Coverage
Difference (ECCD) and also better than other statistical tests such as
Mutual Information, Pearson Correlation Coefficient, and T-test. In
addition, we proved that our proposed method is better than many
state-of-the-art techniques for Android malware detection in terms of
detection accuracy. In our future work, we will address the limitations
of static analysis by incorporating some dynamic analysis techniques.
Additionally, we will aim to assess the effectiveness of the MCDM
techniques across other tasks such as malware family detection.

24
Y. Sharma and A. Arora
Ethical approval
This article does not contain any studies with human participants
or animals performed by any of the authors.
Funding details
The first author received financial support from Council of Scientific
and Industrial Research (CSIR), India with file no. (08/0133(15803)/
2022-EMR-I) for conducting this research work.
CRediT authorship contribution statement
Yash Sharma: Writing – original draft, Software, Methodology,
Investigation, Data curation, Conceptualization. Anshul Arora: Writ-
ing – review & editing, Validation, Supervision, Resources, Project
administration, Formal analysis.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Data availability
Data will be made available on request.
Appendix A. Supplementary data
Supplementary material related to this article can be found online
at https://doi.org/10.1016/j.jnca.2024.104021.
References
Alazab, M., 2015. Profiling and classifying the behavior of malicious codes. J. Syst.
Softw. 100, 91–102.
Alecakir, H., Can, B., Sen, S., 2021. Attention: there is an inconsistency between android
permissions and application metadata!. Int. J. Inf. Secur. 1–19.
Ali, T., Khan, Y., Ali, T., Faizullah, S., Alghamdi, T., Anwar, S., 2020. An automated
permission selection framework for android platform. J. Grid Comput. 18, 547–561.
AlJarrah, M.N., Yaseen, Q.M., Mustafa, A.M., 2022. A context-aware android malware
detection approach using machine learning. Information 13 (12), 563.
Allix, K., Bissyandé, T.F., Klein, J., Le Traon, Y., 2016. Androzoo: Collecting millions of
android apps for the research community. In: Proceedings of the 13th International
Conference on Mining Software Repositories. pp. 468–471.
Altaher, A., 2017. An improved android malware detection scheme based on an
evolving hybrid neuro-fuzzy classifier (EHNFC) and permission-based features.
Neural Comput. Appl. 28, 4147–4157.
Anupama, M., Vinod, P., Visaggio, C.A., Arya, M., Philomina, J., Raphael, R., Pin-
hero, A., Ajith, K., Mathiyalagan, P., 2022. Detection and robustness evaluation of
android malware classifiers. J. Comput. Virol. Hacking Tech. 18 (3), 147–170.
Appice, A., Andresini, G., Malerba, D., 2020. Clustering-aided multi-view classification:
a case study on android malware detection. J. Intell. Inf. Syst. 55, 1–26.
Arora, A., Peddoju, S.K., Conti, M., 2019. Permpair: Android malware detection using
permission pairs. IEEE Trans. Inf. Forensics Secur. 15, 1968–1982.
Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C., 2014.
Drebin: Effective and explainable detection of android malware in your pocket..
In: Ndss, vol. 14, pp. 23–26.
Arshad, S., Shah, M.A., Wahid, A., Mehmood, A., Song, H., Yu, H., 2018. Samadroid: a
novel 3-level hybrid malware detection model for android operating system. IEEE
Access 6, 4321–4339.
Bhat, P., Dutta, K., 2022. A multi-tiered feature selection model for android malware
detection based on Feature discrimination and Information Gain. J. King Saud
Univ.-Com. Inf. Sci. 34 (10), 9464–9477.
Chakraborty, T., Pierazzi, F., Subrahmanian, V., 2017. Ec2: Ensemble clustering and
classification for predicting android malware families. IEEE Trans. Dependable
Secure Comput. 17 (2), 262–277.
Chaudhary, M., Masood, A., 2023. RealMalSol: real-time optimized model for android
malware detection using efficient neural networks and model quantization. Neural
Comput. Appl. 35 (15), 11373–11388.
25
Journal of Network and Computer Applications 232 (2024) 104021
Dehkordy, D.T., Rasoolzadegan, A., 2021. A new machine learning-based method for
android malware detection on imbalanced dataset. Multimedia Tools Appl. 80,
24533–24554.
Deypir, M., 2019. Entropy-based security risk measurement for Android mobile
applications. Soft Comput. 23 (16), 7303–7319.
Elish, K.O., Elish, M.O., Almohri, H.M., 2022. Lightweight, effective detection and
characterization of mobile malware families. IEEE Trans. Comput. 71 (11),
2982–2995.
Fan, M., Liu, J., Luo, X., Chen, K., Tian, Z., Zheng, Q., Liu, T., 2018. Android malware
familial classification and representative sample selection via frequent subgraph
analysis. IEEE Trans. Inf. Forensics Secur. 13 (8), 1890–1905.
Feldman, S., Stadther, D., Wang, B., 2014. Manilyzer: automated android malware
detection through manifest analysis. In: 2014 IEEE 11th International Conference
on Mobile Ad Hoc and Sensor Systems. IEEE, pp. 767–772.
Feng, P., Ma, J., Sun, C., Xu, X., Ma, Y., 2018. A novel dynamic android malware
detection system with ensemble learning. IEEE Access 6, 30996–31011.
Firdaus, A., Anuar, N.B., Razak, M.F.A., Sangaiah, A.K., 2018. Bio-inspired compu-
tational paradigm for feature investigation and malware detection: interactive
analytics. Multimedia Tools Appl. 77, 17519–17555.
Fushiki, T., 2011. Estimation of prediction error by using K-fold cross-validation. Stat.
Comput. 21, 137–146.
Gharib, A., Ghorbani, A., 2017. Dna-droid: A real-time android ransomware detection
framework. In: Network and System Security: 11th International Conference,
NSS 2017, Helsinki, Finland, August 21–23, 2017, Proceedings 11. Springer, pp.
184–198.
Guerra-Manzanares, A., Bahsi, H., Nõmm, S., 2021. Kronodroid: Time-based hybrid-
featured dataset for effective android malware detection and characterization.
Comput. Secur. 110, 102399.
İbrahim, M., Issa, B., Jasser, M.B., 2022. A method for automatic android mal-
ware detection based on static analysis and deep learning. IEEE Access 10,
117334–117352.
Jaiswal, M., Malik, Y., Jaafar, F., 2018. Android gaming malware detection using
system call analysis. In: 2018 6th International Symposium on Digital Forensic
and Security. ISDFS, IEEE, pp. 1–5.
Kabakus, A.T., 2022. DroidMalwareDetector: A novel android malware detection
framework based on convolutional neural network. Expert Syst. Appl. 206, 117833.
Kaithal, P.K., Sharma, V., 2023. A novel efficient optimized machine learning approach
to detect malware activities in android applications. Multimedia Tools Appl. 1–18.
Keyvanpour, M.R., Barani Shirzad, M., Heydarian, F., 2023. Android malware detection
applying feature selection techniques and machine learning. Multimedia Tools Appl.
82 (6), 9517–9531.
Khariwal, K., Singh, J., Arora, A., 2020. IPDroid: Android malware detection using
intents and permissions. In: 2020 Fourth World Conference on Smart Trends in
Systems, Security and Sustainability. WorldS4, IEEE, pp. 197–202.
Lee, S.-A., Yoon, A.-R., Lee, J.-W., Lee, K., 2022. An android malware detection system
using a knowledge-based permission counting method. JOIV: Int. J. Inform. Vis. 6
(1), 138–144.
Li, J., Sun, L., Yan, Q., Li, Z., Srisa-An, W., Ye, H., 2018. Significant permission
identification for machine-learning-based android malware detection. IEEE Trans.
Ind. Inform. 14 (7), 3216–3225.
Li, Y., Yuan, D., Zhang, T., Cai, H., Lo, D., Gao, C., Luo, X., Jiang, H., 2024. Meta-
learning for multi-family android malware classification. ACM Trans. Softw. Eng.
Methodol..
Mahesh, P.S., Hemalatha, S., 2022. An efficient android malware detection using
adaptive red fox optimization based CNN. Wirel. Pers. Commun. 126 (1), 679–700.
Mahindru, A., Sangal, A., 2021a. MLDroid—framework for Android malware detection
using machine learning techniques. Neural Comput. Appl. 33 (10), 5183–5240.
Mahindru, A., Sangal, A., 2021b. SemiDroid: a behavioral malware detector based on
unsupervised machine learning techniques using feature selection approaches. Int.
J. Mach. Learn. Cybern. 12, 1369–1411.
Mahindru, A., Sangal, A., 2021c. FSDroid:-A feature selection technique to detect
malware from Android using Machine Learning Techniques: FSDroid. Multimedia
Tools Appl. 80, 13271–13323.
Mahindru, A., Sangal, A., 2021d. HybriDroid: an empirical analysis on effective
malware detection model developed using ensemble methods. J. Supercomput. 77,
8209–8251.
Mahindru, A., Sangal, A., 2022. SOMDROID: Android malware detection by artificial
neural network trained using unsupervised learning. Evol. Intell. 15 (1), 407–437.
Mercaldo, F., Santone, A., 2021. Formal equivalence checking for mobile malware
detection and family classification. IEEE Trans. Softw. Eng. 48 (7), 2643–2657.
Nguyen, D.V., Nguyen, G.L., Nguyen, T.T., Ngo, A.H., Pham, G.T., 2022. Minad:
Multi-inputs neural network based on application structure for android malware
detection. Peer-to-Peer Netw. Appl. 1–15.
OS, J.N., et al., 2021. Detection of malicious android applications using Ontology-based
intelligent model in mobile cloud environment. J. Inf. Secur. Appl. 58, 102751.
Papathanasiou, J., Ploskas, N., Papathanasiou, J., Ploskas, N., 2018. Topsis. Multiple
Criteria Decision Aid: Methods, Examples and Python Implementations. Springer,
pp. 1–30.
Python, W., 2021. Python. Python Releases for Windows. 24, Citeseer.
Qaisar, Z.H., Li, R., 2022. Multimodal information fusion for android malware detection
using lazy learning. Multimedia Tools Appl. 1–15.
Y. Sharma and A. Arora
Qiao, Q., Feng, R., Chen, S., Zhang, F., Li, X., 2022. Multi-label classification for android
malware based on active learning. IEEE Trans. Dependable Secure Comput..
Rahima Manzil, H.H., Naik, S.M., 2023. Android ransomware detection using a novel
hamming distance based feature selection. J. Comput. Virol. Hacking Tech. 1–23.
Rana, M.S., Sung, A.H., 2020. Evaluation of advanced ensemble learning techniques
for Android malware detection. Vietnam J. Comp. Sci. 7 (02), 145–159.
Rathore, H., Nandanwar, A., Sahay, S.K., Sewak, M., 2023. Adversarial superiority
in android malware detection: Lessons from reinforcement learning based evasion
attacks and defenses. Forensic. Sci. Int. 44, 301511.
Ravi, V., Chaganti, R., 2023. EfficientNet deep learning meta-classifier approach
for image-based android malware detection. Multimedia Tools Appl. 82 (16),
24891–24917.
Razak, M.F.A., Anuar, N.B., Othman, F., Firdaus, A., Afifi, F., Salleh, R., 2018. Bio-
inspired for features optimization and malware detection. Arab. J. Sci. Eng. 43,
6963–6979.
Seyfari, Y., Meimandi, A., 2023. A new approach to android malware detection using
fuzzy logic-based simulated annealing and feature selection. Multimedia Tools Appl.
1–25.
Shabtai, A., Tenenboim-Chekina, L., Mimran, D., Rokach, L., Shapira, B., Elovici, Y.,
2014. Mobile malware detection through analysis of deviations in application
network behavior. Comput. Secur. 43, 1–18.
Shang, F., Li, Y., Deng, X., He, D., 2018. Android malware detection method based on
naive Bayes and permission correlation algorithm. Cluster Comput. 21 (1), 955–966.
Sheen, S., Anitha, R., Natarajan, V., 2015. Android based malware detection us-
ing a multifeature collaborative decision fusion approach. Neurocomputing 151,
905–912.
Shrivastava, G., Kumar, P., 2022. Intent and permission modeling for privacy leakage
detection in android. Energy Syst. 13 (3), 567–580.
Singh, L., Hofmann, M., 2017. Dynamic behavior analysis of android applications for
malware detection. In: 2017 International Conference on Intelligent Communication
and Computational Techniques. ICCT, IEEE, pp. 1–7.
Song, J., Han, C., Wang, K., Zhao, J., Ranjan, R., Wang, L., 2016. An integrated static
detection and analysis framework for android. Pervasive Mob. Comput. 32, 15–25.
Su, X., Shi, W., Qu, X., Zheng, Y., Liu, X., 2020. DroidDeep: using deep belief network
to characterize and detect android malware. Soft Comput. 24 (8), 6017–6030.
Sun, B., Takahashi, T., Ban, T., Inoue, D., 2021. Detecting android malware and
classifying its families in large-scale datasets. ACM Trans. Manag. Inf. Syst. (TMIS)
13 (2), 1–21.
Sun, L., Wei, X., Zhang, J., He, L., Philip, S.Y., Srisa-an, W., 2017a. Contaminant
removal for android malware detection systems. In: 2017 IEEE International
Conference on Big Data (Big Data). IEEE, pp. 1053–1062.
Sun, J., Yan, K., Liu, X., Yang, C., Fu, Y., 2017b. Malware detection on android smart-
phones using keywords vector and SVM. In: 2017 IEEE/ACIS 16th International
Conference on Computer and Information Science. ICIS, IEEE, pp. 833–838.
Taheri, R., Javidan, R., Pooranian, Z., 2021. Adversarial android malware detection for
mobile multimedia applications in IoT environments. Multimedia Tools Appl. 80,
16713–16729.
Talha, K.A., Alper, D.I., Aydin, C., 2015. APK auditor: Permission-based android
malware detection system. Digital Investig. 13, 1–14.
Tchakounté, F., Wandala, A.D., Tiguiane, Y., 2019. Detection of android malware based
on sequence alignment of permissions. Int. J. Comput. 35 (1), 26–36.
Thiyagarajan, J., Akash, A., Murugan, B., 2020. Improved real-time permission based
malware detection and clustering approach using model independent pruning. IET
Inf. Secur. 14 (5), 531–541.
Varsha, M., Vinod, P., Dhanya, K., 2017. Identification of malicious android app using
manifest and opcode features. J. Comput. Virol. Hacking Tech. 13, 125–138.
Wang, S., Chen, Z., Yan, Q., Yang, B., Peng, L., Jia, Z., 2019. A mobile malware
detection method using behavior features in network traffic. J. Netw. Comput.
Appl. 133, 15–25.
Wang, W., Gao, Z., Zhao, M., Li, Y., Liu, J., Zhang, X., 2018. DroidEnsemble:
Detecting android malicious applications with ensemble of string and structural
static features. IEEE Access 6, 31798–31807.
Wang, K., Song, T., Liang, A., 2016. Mmda: Metadata based malware detection on
android. In: 2016 12th International Conference on Computational Intelligence and
Security. CIS, IEEE, pp. 598–602.
26
Journal of Network and Computer Applications 232 (2024) 104021
Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X., 2014. Exploring permission-
induced risk in android applications for malicious application detection. IEEE Trans.
Inf. Forensics Secur. 9 (11), 1869–1882.
Wang, H., Zhang, W., He, H., 2022. You are what the permissions told me! Android
malware detection based on hybrid tactics. J. Inf. Secur. Appl.s 66, 103159.
Witten, I.H., Frank, E., 2002. Data mining: practical machine learning tools and
techniques with Java implementations. Acm SIGMOD Rec. 31 (1), 76–77.
Wu, Y., Dou, S., Zou, D., Yang, W., Qiang, W., Jin, H., 2022. Contrastive learning
for robust android malware familial classification. IEEE Trans. Dependable Secure
Comput..
Wu, Y., Li, M., Zeng, Q., Yang, T., Wang, J., Fang, Z., Cheng, L., 2023. Droidrl: Feature
selection for android malware detection with reinforcement learning. Comput.
Secur. 128, 103126.
Xie, N., Wang, X., Wang, W., Liu, J., 2019. Fingerprinting Android malware families.
Front. Comput. Sci. 13, 637–646.
Yalçin, N., Nuşin, U., 2019. Applying EDAS as an applicable MCDM method for
industrial robot selection. Sigma J. Eng. Nat. Sci. 37 (3), 779–796.
Yang, S., Zeng, Z., Song, W., 2022. PermDroid: automatically testing permission-related
behaviour of android applications. In: Proceedings of the 31st ACM SIGSOFT
International Symposium on Software Testing and Analysis. pp. 593–604.
Yuan, W., Jiang, Y., Li, H., Cai, M., 2019. A lightweight on-device detection method
for android malware. IEEE Trans. Syst. Man Cybern. 51 (9), 5600–5611.
Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X.S., Zang, B., 2013.
Vetting undesirable behaviors in android apps with permission use analysis. In:
Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications
Security. pp. 611–622.
Zhu, H.-j., Gu, W., Wang, L.-m., Xu, Z.-c., Sheng, V.S., 2023. Android malware detection
based on multi-head squeeze-and-excitation residual network. Expert Syst. Appl.
212, 118705.
Zhu, H.-J., Jiang, T.-H., Ma, B., You, Z.-H., Shi, W.-L., Cheng, L., 2018. HEMD: a highly
efficient random forest-based malware detection framework for android. Neural
Comput. Appl. 30, 3353–3361.
Yash Sharma ([email protected]) is currently a
doctoral student specializing in Android Security in the
Department of Applied Mathematics at Delhi Technological
University, Delhi, India. He holds a postgraduate degree in
Mathematics from the same institution and has conducted
research in Network Security as part of his academic work.
He has published papers in the field of Android Security
in SCI journals, including Multimedia Tools and Applica-
tions and the International Journal of Information Security
(Springer).
Anshul Arora ([email protected]) is currently
working as an Assistant Professor in the Discipline of
Mathematics and Computing, Department of Applied Math-
ematics, Delhi Technological University Delhi, India. He has
done his Ph.D. from the Department of Computer Science
and Engineering, Indian Institute of Technology Roorkee,
India. He has published several research papers in his
field of expertise which are Mobile Security, Mobile Mal-
ware Detection, Network Traffic Analysis, and Blockchain.
He is the reviewer of several renowned journals such as
IEEE Transactions on Information Forensics and Security,
IEEE Transactions on Computational Social Systems, Expert
Systems with Applications, Computers & Security, etc.