Received 24 September 2024, accepted 15 October 2024, date of publication 24 October 2024,

date of current version 27 November 2024.

Digital Object Identifier 10.1109/ACCESS.2024.3485706

A Survey on Android Malware Detection

Techniques Using Supervised
Machine Learning
SAFA J. ALTAHA , AHMED ALJUGHAIMAN , AND SONIA GUL
Department of Computer Networks and Communications, College of Computer Sciences and Information Technology, King Faisal University, Al-Ahsa 31982,
Saudi Arabia
Corresponding author: Safa J. Altaha ([email protected])
This work was supported by the Deanship of Scientific Research, Vice Presidency for Graduate Studies and Scientific Research, King
Faisal University, Saudi Arabia, under Grant KFU242126.

ABSTRACT Android’s open-source nature has contributed to the platform’s rapid growth and its widespread
adoption. However, this widespread adoption of the Android operating system (OS) has also attracted the
attention of malicious actors who develop malware targeting these devices. Android malware threatens users’
privacy, data security, and overall device performance. Machine learning (ML) plays a significant role in
malware analysis and detection because it can process huge amounts of data, identify complex patterns, and
adjust to changing threats. The purpose of this paper is to provide a comprehensive review of the existing
research on ML-based techniques used to detect and analyze Android malware. In this paper, the security
weaknesses in Android OS are explored and the reasons why these weaknesses do not exist in the iPhone
operating system (iOS) are discussed. Further, the authors examine the existing studies that have been
proposed by researchers and outlines their strengths and limitations. The findings reveal that the existing
researches utilize different ML models, features, and detection techniques, including static, dynamic, and
hybrid approaches. Moreover, directions for future research and potential areas that require more attention
and improvement in this field are highlighted.

INDEX TERMS Android, Android malware, malware detection, supervised machine learning.

I. INTRODUCTION passwords, these devices have become an appealing target for

In today’s interconnected world, mobile devices such as cybercriminals [1]. From 2009 to 2020, Android OS has been
smartphones and tablets have become an integral part of our identified as the most widely used OS on mobile devices,
daily lives. They have changed the way people communicate accounting for 72.95% of total usage worldwide. The iPhone
with others, access information, entertain themselves, and operating system (iOS) comes in second place with a usage
perform daily activities. Android, being one of the most percentage of 26.27%. Other OSs, such as Windows Mobile,
popular mobile operating systems (OSs), offers a wide range constitute the remaining 0.78% [2]. Figure 1 illustrates the
of features and applications that enhance productivity and distribution of different mobile device OSs usage. There is a
entertainment. As the popularity and ubiquity of Android substantial amount of malware targets the Android platform
devices continue to rise, so does the risk of malicious software since it is the most widely used OS [3]. Therefore, the
that targets these platforms. Android malware threatens users’ effective detection and mitigation of Android malware have
privacy, data security, and overall device performance. With become essential to ensure a safe and secure user experience.
the increasing prevalence of Android smartphones that store Malware can be defined as any software that intentionally
sensitive information like personal data, banking details, and executes malicious payloads on victim’s machines (com-
puters, smart phones, computer networks, etc) [4]. Android
The associate editor coordinating the review of this manuscript and malware can take various forms, such as viruses, worms,
approving it for publication was S. M. Abdur Razzak . spyware, ransomware, and Trojans. Once a device is infected,
2024 The Authors. This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
173168 For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ VOLUME 12, 2024
S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
FIGURE 1. Percentage of usage of various mobile operating systems.
this can lead to data theft, unauthorized access, financial loss,
privacy breaches, and device malfunction. Malware exhibits
several key characteristics, including the ability to replicate,
propagate, self-execute, and corrupt computer systems. The
corruption of a computer system can have detrimental
effects on the integrity, confidentiality, and availability of
information. Replication is a critical feature found in many
types of malware, as it ensures its persistence and spread.
In certain malware instances, excessive replication can lead to
the depletion of computer resources, such as hard disk space
and Random Access Memory (RAM) [5].
Obfuscation is a technique employed by malware pro-
grammers to make their malicious code difficult to analyze
and comprehend. The primary objective of obfuscation is to
conceal the malicious behavior of the malware. By employing
obfuscation techniques, malware authors aim to obstruct
the efforts of security researchers, analysts, and antivirus
software in detecting and understanding the true nature and
intent of the malware [6]. Other types of malware can
be easily detected and eliminated using antivirus software.
These software solutions maintain a database of virus
signatures, which are unique binary patterns associated with
malicious code. When files are suspected of being infected,
they are scanned for the presence of any virus signatures.
This detection method was effective until malware authors
began creating polymorphic and metamorphic malware
variants. Polymorphic malware is designed to change its
code with each infection or execution, thereby making it
difficult for signature-based detection methods to identify
it. Metamorphic malware goes a step further by not merely
changing its appearance but also modifying its underlying
code structure with each iteration [7]. These types of
malware employ encryption techniques to evade signature-
based detection, thus making it more challenging for antivirus
software to identify and remove them [8]. Other detection
techniques, such as heuristic and behavior-based methods,
have become more apparent as they focus on identifying
suspicious behaviors and patterns rather than relying on
known signatures. Heuristic-based detection uses a set of
VOLUME 12, 2024
rules and patterns to identify potential malware, even if the
specific signature is not yet known. This method analyzes
the characteristics and actions of a program to determine
the presence of malicious behavior. In contrast, behavior-
based detection focuses on monitoring the runtime behavior
of a program to detect anomalies or suspicious activities.
By tracking and analyzing the program’s interactions with
the system, network, and other resources, behavior-based
detection can identify malware that signature-based detection
may fail to detect.
Machine Learning (ML) algorithms can significantly help
in classifying Android applications as malware or benign.
By using features and patterns within the applications,
ML algorithms can learn from labeled datasets and make
accurate predictions on unseen application samples [9].
In this paper, the authors present Android malware detection
techniques and present a systematic literature review (SLR)
of existing related works. Moreover, this paper proposes
future research directions and works that need to be explored
by the researchers. This research paper attempts to address
the following questions:
1) What are the vulnerabilities of Android OS in avoiding
malicious activities?
2) What are the security characteristics and weaknesses of
Google Play and App Store?
3) Which approaches are most frequently utilized by
researchers to detect malware in Android OS?
4) Which static features are mainly used by researchers to
detect malware in Android OS?
5) Which ML model is the most effective for detecting
malware in Android OS?
A. RESEARCH MOTIVATION
There is a pressing requirement for reliable, scalable,
and robust malware detection tools for Android devices,
as malware can compromise user privacy, steal sensitive
information stored on the device such as passwords and
bank data, and cause financial losses through activities, such
as identity theft or fraudulent transactions. By detecting
malware, users can maintain the security and integrity of their
personal information and mitigate potential harm.
The main motivation of this research study is to help
developers build effective malware analysis systems for
Android OS based on the identified research gaps and
shortcomings from recent works to efficiently detect mali-
cious applications, prevent cyber threats, protect users’ data,
and enhance overall cybersecurity. In addition, the aim is
to identify vulnerabilities and other security issues in the
Android platform and distinguish between the Google Play
Store and iOS App Store in the context of utilized approaches
for application review and security.
B. RESEARCH CONTRIBUTIONS AND RELATED REVIEWS
This paper aims to present an SLR of existing works related
to ML-based Android malware detection. The goal is to
provide a clear and comprehensive view of the state of
173169
 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
Android malware detection using supervised ML models
in recent years. This paper first highlights the inherent
security weaknesses of the Android OS, which make it more
vulnerable to malware threats compared to other platforms,
such as iOS. Then, the security practices and policies applied
by the Play Store are discussed and compared with the
security measures taken by the App Store for iOS. The main
contributions of this paper are summarized below:
• Provide a guide for researchers to identify the vulnera-
bilities that may lead to system compromise in Android
OS and distinguish between Google Play Store and iOS
App Store application security and review process.
• The authors perform this SLR on ML-based techniques
for Android malware detection and categorize reviewed
papers based on the analysis approaches employed.
• Identify the static features that are impactful in analyzing
malware in Android OS more effectively.
• Identify the most effective ML model to detect malware
in Android OS.
• Finally, major findings and research gaps are highlighted
and future research directions in Android malware
detection using ML models are provided.
Several previous surveys and literature reviews have focused
on Android malware detection research. For example, Pan
et al. [10] provided a comprehensive SLR with a focus on
static analysis approaches for Android malware detection.
Their paper identified ML models and statistical models as
methods to be used for the detection of Android malware.
However, ML-based detection was not addressed as their
main focus and they merely reviewed static features-based
methods. Chowdhury et al. [11] reviewed a small number of
studies published from 2015 to 2023. They only summarised
the reviewed works, but the model accuracy and ML
models of those studies were not mentioned. Wang et al.
[12] provided a good systematic review, but their main
focus was only on deep learning models. Kouliaridis and
Kambourakis [13] presented a well-organized SLR paper
encompassing the three analysis approaches with a bias
toward approaches that used static analysis. Senanayake et al.
[14] conducted an extensive survey, covering over 100 studies
from 2016 to 2021. However, there is a lack of sufficient
background information.
To address the limitations of the related studies, the
authors present a survey of past studies that have utilized
the three main analysis approaches: static, dynamic, and
hybrid. Details regarding the methodologies, ML models, and
results of each of the reviewed papers are provided. Future
research directions to enhance this field are also highlighted.
In addition, a comprehensive background related to this field
is presented.
The remainder of this paper is organized in the following
manner: Section II presents the background related to
Android OS, malware analysis approaches, and techniques.
Section III describes the security model of Android OS and
the difference between Android and iOS in terms of security.
173170
Section IV provides the search strategy. Section V discusses
and compares the related studies. Section VI discusses and
highlights the major findings. Section VII presents directions
for future research. Section VIII discusses the threats to the
validity of this study. Finally, Section IX concludes this work.
FIGURE 2. The versions of android operating system.
II. BACKGROUND
A. EVOLUTION OF ANDROID OPERATING SYSTEM
The journey of Android has been marked by a series of key
milestones, each of which influence the overall platform’s
development. In this section, the authors present the evolution
of the Android OS, tracing its roots from the early days of
Android Inc. up to 2022. By examining the major Android
releases and the introduction of new features and capabilities,
a better understanding of the factors that have contributed to
Android’s rise is obtained. Android Inc. developed Android
OS in 2003. Subsequently, Google purchased it in 2005;
in November 2007, the first release was launched and
released [15]. Figure 2 presents the key milestones of Android
OS. The following points discuss the main features of each
milestone [16]:
• In September 2008, Android officially released Version
1.0. It included limited features, such as web browsing
and connection to an online email server.
• On April 27, 2009, Android 1.5 (Cupcake) was released.
It included the ability to record and playback videos,
copy and paste, post a movie to YouTube, and view
usage history.
• On September 15, 2009, the Donut version was released.
It had a few new features, such as voice and text entry
search, better camera access, and text-to-speech engine
support.
• On October 26, 2009, a new version named Eclair
was released. This included Microsoft Exchange email
support, Bluetooth 2.1, and SMS and MMS services.
VOLUME 12, 2024
S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
• On May 20, 2010, the Froyo version was released with
a few improvements related to speed, memory, and
performance optimization and support for the Android
Cloud to Device Messaging service.
• On December 6, 2010, the Gingerbread version was
released with a better user experience and user-friendly
interface, as well as support for Near Field Communica-
tion (NFC).
• The Honeycomb version was released on February 22,
2011, for the first Android tablet based on the Linux
kernel 2.6.36.
• On October 19, 2011, the Ice Cream Sandwich version
was released with multiple features, such as graphics
improvements, spell-checking, and improved camera
performance.
• On June 27, 2012, multiple improvements were made,
including 4K resolution support, a smoother user
interface, and multiple user accounts.
• On September 3, 2013, numerous new features were
included, such as wireless printing abilities, sensor
batching, screen recording capability, and improved
application compatibility.
• On November 12, 2014, big enhancements were made
including redesigning the user interface, improving
battery life, and support for multiple SIM cards.
• On May 28, 2015, a new version was released with a
few improvements, such as fingerprint reader support,
runtime permission requests, and USB-C connectivity.
• On March 9, 2016, a major version called Nougat was
released. It included yption abilities, support manager
APIs, screen zoom, multi-window support, battery usage
alerts, and more.
• On August 21, 2017, a new version was released that
included many features related to API, themes, and
notifications.
• On August 6, 2018, the Pie was officially released.
In this version, simple features were added, such as a
screenshot button, the battery percentage, and the clock
was shifted to the left of the notification bar.
• Android 10 was the first version to be released in
numerical order. On September 3, 2019, Android 10 was
launched. It could access location in the background,
perform authentication using fingerprint, and included
WPA3 Wi-Fi security.
• On September 8, 2020, a new Android version was
released and included simple features related to privacy
and security.
• On October 19, 2021, Android 12 was launched.
It included features related to user interface and system
services such as WindowManager and system server.
• On February 10, 2022, Android 13 was released. Many
functions were enhanced, including the ability to choose
which user can access which applications. To safeguard
privacy, none of the applications included any sensitive
information.
VOLUME 12, 2024
B. ANDROID ARCHITECTURE
Android OS is based on the Linux kernel and is developed
by Google. It is primarily designed for smartphones, tablets,
smartwatches. Figure 3 depicts the architecture of the
Android OS, which mainly consists of four layers based
on the needs of the device—Linux Kernel, Native Library,
Application Framework, and Applications; all layers work
with each other to ensure the system runs securely and
effectively. Applications in Android devices are executed
within Dalvik Virtual Machines (DVM), which are usually
written in Java programming language. While building
Android applications, a substantial amount of the code is
copied and pasted leading to spaghetti code, which implies
that this code is complex and difficult to understand and
maintain [17]. The responsibilities of each layer are listed
below:
FIGURE 3. Architecture of android operating system.
• The Linux kernel layer is the basic layer of the
architecture that is responsible for power, device, and
memory management. The developers do not interact
directly with this layer as it is responsible for the
underlying infrastructure.
• The native library layer contains libraries written
in C or C++ libraries. There are different libraries
that provide support in building user interface appli-
cation frameworks, drawing graphics, and accessing
databases. Android Runtime includes an environment
that enables the applications to be effectively exe-
cuted. Moreover, DVM includes a runtime feature
that is used during installation to compile the system
codes [18].
• At the heart of the application framework layer is
application programming interface (API) libraries, like
user interface, telephony, resources, locations, content
providers, and other APIs that are necessary for building
the system and developing daily-use applications, such
as the calendar and phone call [19]. This layer contains
173171
 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
the most important components that are used to build the
applications:
1) View system for building the graphic components
of the application.
2) Activity manager responsible for user interaction
with applications.
3) Location manager to specify the user’s location
using GPS systems.
4) Telephony manager responsible for providing
calling ability.
5) Resource manager responsible for accessing lay-
out files and graphics.
6) Content provider for sharing data between applica-
tions in the devices.
7) Notification manager notifying the user of applica-
tion events [17].
• Applications are located at the top layer in the Android
OS. The users interact directly with this layer. It com-
prises third-party applications, such as home, contact,
short message service (SMS), games, and web browsers.
Most Android applications that are located in this layer
are written in Java or Kotlin programming languages
[2], [20].
C. ANDROID MALWARE HISTORY
The open nature of the Android platform is a significant factor
in the progression of Android malware. The open-source
model allows for OS modifications by manufacturers, thereby
making the source code vulnerable to attackers. Over the
years, the complexity and sophistication of Android malware
have increased, with cybercriminals developing increasingly
stealthy and harmful variants to target Android users.
Table 1 presents a summary of Android malware evolution
from 2010 to 2020.
In 2010, AndroidOS.DroidSMS.A emerged as the first
Android mobile malware. It took advantage of the newly
added SMS services and sent an SMS and charged the victim
without his/her knowledge. Tap Snake is a spyware that was
discovered in the same year. This malware can send the
device’s location data along with recorded phone conversa-
tions to a remote malicious server. In 2011, DroidDream was
discovered with the ability to root the victims’ devices to
steal users’ sensitive information [21]. Boker is another type
of Trojan that propagates via SMS; it automatically installs
once the user receives an SMS. In 2012, Opfake and Fakeinst
were the most prominent Android Trojans discovered by
Kaspersky. These types of malware use more sophisticated
techniques, such as drive-by downloads and updated attacks,
thus making it more difficult to detect and affect the victims’
devices. [21], [22]. FakeDefender is a type of ransomware
that was found in 2013. It displays fake information to prompt
users to buy fake security applications [23].
Thereafter, Obad malware was discovered. It enables
attackers to take the role of device administrator in the
background by exploiting zero-day vulnerabilities. Not-
Compatible. CA is a Trojan that recognizes emulated
173172
environments and sandboxes, which allows it to bypass
security measures. Acecard and 888.apk are banking Trojans
that were discovered in 2015. They steal victims’ data
related to their bank accounts and sniff banking transaction
packets during SMS alerts and transaction commands [21].
HummingBad targeted Android, as well as iOS. It is a rootkit
that steals sensitive information by installing malicious
applications in the background [24]. Two ransomware were
discovered in 2016, AndroidOS. Fusob and Xbot. They
steal banking account information and obtain remote access
to the device, demanding ransom. In 2017, super user
privilege was granted by the Ztorg rooting malware. In 2018,
a new backdoor called Chamois was discovered. It stole
the OAuth token. TimpDoor emerged in 2019 with the
ability to propagate rapidly; it infects Android victims via
SMS. Cerberus intercepts calls, whereas XHelper redirects
the user to fake websites and attempts to steal their
credentials [21], [23].
TABLE 1. Evaluation of android malware.
D. MALWARE DETECTION TECHNIQUES
A malware detection program is a computational function
that operates within a specific domain that comprises a
collection of application programs and a collection of
malicious and benign programs. Its purpose is to analyze
the programs within the programs set and determine whether
each program is benign (normal) or malware (malicious)
[5]. By examining the characteristics, behavior, or code of
each program, the detection program aims to accurately
classify them and identify any potential malware threats
within the domain. The malware detection process typically
involves three stages: malware analysis, feature extraction,
and classification. Malware analysis is an important process
that aims to understand the content and behavior of malicious
software. It involves examining and studying the malware
to ascertain its functionality, purpose, and potential impact.
VOLUME 12, 2024
S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
Once the malware has been analyzed, relevant features are
extracted to capture its distinguishing characteristics. These
features can be derived from various aspects of the malware,
such as its code, behavior, network communication, or file
structure. In the classification stage, ML or other classi-
fication algorithms are applied to categorize the malware
into different classes, such as benign or malicious. This
classification is based on the extracted features and patterns
observed during the malware analysis stage [4].
FIGURE 4. Malware detection techniques.
Based on Naseer et al. [25], malware detection techniques
can be categorized into different types, as depicted in
Figure 4. Below are the definitions of each type:
• Signature-based detection, also known as pattern match-
ing, involves comparing the characteristics or signatures
of known malware with the files or processes being
analyzed. In signature-based detection, scanner software
examines the information of a file and checks it against
a database of virus signatures. These virus signatures
are essentially specific patterns or sequences of code
that are characteristic of known malware. If a file’s
signature matches one in the database, it is flagged as
malicious [5].
An example of signature-based detection can be buffer
overflows. Because buffer overflows include shellcodes,
the strategy is to maintain a database of known malicious
shellcode patterns and alert if a shellcode is found in any
request [26].
• Anomaly-based systems in malware detection are
designed to identify any type of computer misuse
that deviates from the normal activities of a computer
system. In contrast, signature-based systems detect
malware based on specific patterns or fingerprints
stored in their databases. Anomaly-based systems detect
malicious software by monitoring system activities and
classifying them as either normal or abnormal based on
predefined criteria. This approach enables the detection
of novel or unknown threats that do not have specific
signatures, thereby making it a valuable technique in
identifying new and emerging malware [5].
For example, a credit card company uses anomaly-based
detection to monitor credit card usage patterns by
customers. When a customer makes an unusually large
purchase or a purchase in a new location, the algorithm
identifies this anomaly and sends an alert to contact the
customer.
• Behavior-based detection examines the behavior of the
program using certain monitoring tools and classifies
VOLUME 12, 2024
the program as malware or benign. Even though
the program’s code is being modified, the program’s
behavior is mostly the same. Hence, most of unknown
malware is detected using this method [4]. However, it is
worth mentioning that certain malware binaries may not
function correctly within a protected environment due to
anti-analysis techniques [27]. Thus, there is a possibility
of misclassifying malware samples as benign in such
cases.
While behavior-based and anomaly-based detection
share a common focus on system behavior, the key
difference is the reference point. Behavior-based detec-
tion looks for patterns that are characteristic of known
malware, while anomaly-based detection identifies devi-
ations from normal, expected behavior [28].
• Heuristic-based detection uses rules, algorithms, or pat-
terns to identify potential malware based on general
characteristics or behaviors exhibited by malicious
software. For example, if a user or program attempts
to remove files that are needed by the OS, it could be
malicious [29].
This technique makes educated guesses regarding the
presence of malware when specific signatures are not
available. Heuristic-based techniques primarily leverage
ML and data mining strategies in the context of malware
detection [25].
• Statistical-based detection relies on the application
of statistical and mathematical techniques to analyze
system activities, such as network connections, memory
usage, system calls [5]. In addition, it considers sta-
tistical metrics, such as the median, mean, mode, and
standard deviation. For example, it is expected to initiate
a TCP connection with one or a few TCP SYN packets.
If a host sends a hundred TCP SYN packets in a short
period, it may be considered a malicious activity.
Statistical-based detection analyzes large volumes of
data—such as network traffic, system logs, and user
behavior—to identify patterns and anomalies. In con-
trast, heuristic-based detection relies on a set of
predefined rules or patterns [28], [30].
Table 2 presents the advantages and disadvantages of
these approaches. The detection of malware continues to
introduce challenges due to its inherent complexity both in
theory and practice. Malware creators apply sophisticated
techniques, including obfuscation, to make the detection
process highly challenging. Consequently, the ability to
effectively detect malware remains a significant problem in
the field of cybersecurity [4], [6].
E. APPROACHES TO MALWARE ANALYSIS
Static, dynamic, and hybrid analysis are the most commonly
used techniques in Android malware detection. Static analy-
sis involves examining the code and resources of an Android
application without directly executing the program. It is
applied by analyzing the AndroidManifest.xml file, smali
173173
 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
TABLE 2. Comparison of malware detection techniques.
files (which contain the application’s bytecode), and a set of
static features, such as permissions, API calls, and Dalvik
opcode (which contains low-level bytecode instructions to
be executed by Android’s virtual machine called Dalvik).
These artifacts can be obtained by decompiling the APK
files. This approach offers several advantages, including
shorter analysis time and lower computational requirements
compared to dynamic analysis methods. By using static
features, it becomes possible to quickly assess the appli-
cation’s security and detect known malware signatures or
common patterns. However, it may be less effective in
detecting sophisticated malware that relies on dynamic
behavior [31], [32].
Further, dynamic analysis involves executing the applica-
tions and observing their behavior in real time. It also involves
executing applications directly on a real device or within a
sandbox environment. This method focuses on monitoring
the behavior of the application during run-time. By running
the application, analysts can observe its interactions with the
device, network, and user data. They capture logs and analyze
the network traffic generated by the application. While
dynamic analysis offers a more comprehensive understanding
of an application’s behavior, it can be more time-consuming
and computationally demanding compared to static analysis.
Nevertheless, it is highly effective in detecting sophisticated
malware that employs evasion techniques or exhibits mali-
cious behavior only at run-time [31], [33].
In hybrid analysis, to enhance the overall analysis,
the malware is initially examined using static analysis
techniques, followed by a dynamic analysis approach. This
two-step process involves analyzing the malware’s code
and structure without execution (static analysis) and then
executing the malware and observing its behavior in a
controlled environment (dynamic analysis). By combining
both static and dynamic analysis, a more comprehensive
173174
analysis of the malware is achieved [34], [35]. Table 3
presents the differences between static, dynamic, and hybrid
malware analysis in the context of their advantages and
disadvantages.
TABLE 3. Comparison between android malware analysis approaches.
III. EXPLORING THE SECURITY WEAKNESSES OF
ANDROID
The Android security model relies highly on permission-
based mechanisms to control access to sensitive resources and
user data. Before installing an app, users are presented with
a list of permissions that the application requires; they can
choose to grant or deny those permissions. The developers
have to declare all the required permissions for the application
in the AndroidManifest.xml file to be granted by the users.
This mechanism ensures that applications have access
only to the resources they genuinely need. The requested
permission helps users prevent applications from misusing
resources, but users often have little knowledge to determine
whether granting permission is harmful [36]. For example,
requesting network access, including Wi-Fi and sending short
messages, is common for many legitimate applications, but
certain malware may exploit these permissions to perform
malicious activities, such as stealing bandwidth or sensitive
information. Therefore, determining whether an application
is malicious solely based on its permission requests can be
challenging for users.
In Android, permissions are categorized into two main
levels: normal permissions and dangerous permissions [37].
Normal permissions are considered low-risk permissions that
grant access to certain resources or capabilities that are not
sensitive by nature. Examples of normal permissions, include
accessing the network state, accessing the device’s vibration
feature, or accessing the device’s battery statistics. Dangerous
permissions are considered high-risk permissions that involve
accessing sensitive user data or performing potentially
harmful actions. When an application requests dangerous
VOLUME 12, 2024
S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
permission, the user is explicitly prompted to grant or deny
the permission during the installation process or at run-
time. Examples of dangerous permissions include accessing
the user’s contacts, reading short messages, and accessing
the device’s camera [38], [39]. These permission groups
are organized based on a device’s capabilities or features.
Tables 4 and 5 provide two lists of normal and dangerous
permission groups along with their associated permissions
[37]. The normal permissions table lists permissions that
are generally considered low-risk, such as setting alarms,
changing wallpapers, and managing Bluetooth connections.
These permissions are automatically granted to applications
during installation without the user’s explicit consent. The
dangerous permissions table includes more sensitive permis-
sions, such as accessing the microphone, contacts, calendar,
and SMS/MMS messages. These permissions have a higher
potential for privacy and security risks, and applications
must explicitly request them from the user, who can choose
either to grant or deny them. Understanding these permission
groups is important for both developers and users to ensure
that applications are using only the necessary permissions
and that users are aware of the potential impacts of granting
specific permissions to an application.
TABLE 4. List of some normal android permissions.
TABLE 5. List of some dangerous android permissions.
There are security aspects associated with Android OS
that make it more vulnerable compared to iOS. Android’s
VOLUME 12, 2024
open-source nature enables developers to modify and
enhance the code, thereby fostering a vibrant ecosystem of
third-party applications and innovations [40]. This openness
has contributed to the platform’s rapid growth and widespread
adoption, making it a dominant force in the mobile market.
Android users download over 1.5 billion applications and
games from Google Play each month [40]. However, this
widespread adoption of the Android OS has also attracted
the attention of malicious actors who develop and distribute
malware that specifically targets these devices. Below are
weaknesses found in Android OS and a discussion of why
these weaknesses do not exist in iOS:
• For Android OS, an extra antivirus program needs to
be installed to avoid malware effects on the mobile,
particularly for applications downloaded from sources
other than Google Play [41]. Using external sources
increases the risk of malicious applications that convert
developed software into viruses. On the other hand,
iOS users do not need to install any antivirus solutions
because the only place to get applications is the App
Store and everything on the App Store is carefully
checked to ensure it does not contain any malicious
code [41].
• For accepting and releasing an application on the
App Store, iOS developers are required to register
with Apple. Apple has a licensing agreement in place,
which involves testing each application submitted by
third-party developers for any privacy or security
violations. If the application complies with the licensing
agreement and does not violate any privacy or security
guidelines, it is accepted, digitally signed, and made
available for download on the App Store. Similar
to Apple, Google Play also requires applications to
be digitally signed. However, the process of digitally
signing an application for Android is different. In con-
trast to Apple, developers do not have to register
with Google Play or obtain signing certificates issued
by Google. Android developers can create as many
signing certificates as they need for their applications
without being monitored by Google. They are not
required to obtain signing certificates directly from
Google or undergo a registration process. To distribute
their applications through Google Play, developers are
required to pay $25 using credit cards. This fee serves
as a verification process and helps ensure a certain level
of accountability for application submissions. However,
there is a possibility that attackers use stolen credit cards
to pay and distribute malicious applications [42], [43].
• For storing application data, devices can use either
built-in or external memory. For Android, users can use
both. This raises a few security issues and makes it
difficult for the applications to access the data, which
leads to slow processing. From a security perspective,
having both built-in and external memory can increase
the attack surface for potential threats. Data stored in
external memory is more vulnerable to viruses and
173175
 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
unauthorized access compared to built-in memory. This
can cause risks if sensitive information is stored on the
external storage [44], [45].
• Android applications can be downloaded from Google
Play and other unknown sources. In contrast, iOS
applications can only be downloaded from the App
Store, which forces the applications to undergo various
security checks. For Android, the ability to download
applications from sources other than the official Google
Play Store leads to security risks, as applications down-
loaded from unknown sources may contain malware,
spyware, or other forms of malware that can compromise
user data [42], [45].
• In Android, the permission system is designed to provide
users with control over the access that applications have
the resources. In iOS, users are generally not directly
involved in granting or denying individual permissions
to applications during the installation process [42], [46]
Table 6 summarizes the differences between Android OS and
iOS based on a security perspective.
TABLE 6. Comparison of security between android and iOS.
IV. SEARCH STRATEGY
In this section, the authors describe the methodology used to
guide this study—such as the search string, data sources, and
inclusion criteria for the relevant papers.
A. DATA SOURCES
Various research data sources were used to explore the
relevant research papers, as listed in Table 7. Google Scholar
and IEEE Xplore offer a huge amount of literature, including
articles, theses, books, conference papers, and preprints from
various disciplines and sources. IEEE Xplore is a leading
digital library specifically focused on engineering, com-
puter science, and technology-related research. ResearchGate
offers a Q&A feature and discussion forums on which
researchers can ask questions, seek advice, and engage
173176
in topic-specific discussions. However, it only displays a
maximum of 100 results per search.
TABLE 7. Data sources.
B. SEARCH STRING
These sources are used to search for existing literature,
using keywords and certain boolean operators such as
‘‘Android malware analysis,’’ (‘‘Android malware detection’’
AND ‘‘Machine learning’’) and (‘‘Malware in Android’’
AND ‘‘supervised learning’’). Each platform offers valuable
resources and provides a variety of logical tools that facilitate
the search process.
C. INCLUSION CRITERIA AND SCREENING PROCESS
This review is guided by the PRISMA flow diagram.
PRISMA is an abbreviation for Preferred Reporting Items for
Systematic Reviews and Meta-Analyses used for a new type
of systematic review that focuses on conducting searches of
databases and registers.
FIGURE 5. Selection of papers by PRISMA.
The inclusion criteria was that publications needed to have
a direct focus on Android malware and ML classifiers and
related techniques. In addition to relevance, a few more
criteria were considered for inclusion, such as research papers
published from 2017 to 2024 years and only research papers
written in English were considered. The selection process
of papers by PRISMA is illustrated in Figure 5. The iden-
tification process involved searching multiple data sources,
including Google Scholar, ResearchGate, and IEEE Xplore.
VOLUME 12, 2024
S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
A total of 18,650 records were identified from Google
Scholar, 100 from ResearchGate, and 926 from IEEE Xplore.
Before the screening stage, 15,612 duplicate records were
omitted, along with 3,612 records omitted for other reasons,
such as very long text, paid or access-restricted papers, and
the study not matching the predetermined publication types
like book chapter. After screening, 410 records remained,
of which 213 were excluded. From the remaining 197 reports
sought for retrieval, 65 reports were not retrieved. Papers not
relevant to Android malware and ML, as well as documents
written in foreign languages, were deleted; moreover, a few
papers were excluded because the full text was not available.
Finally, 40 papers were selected.’’
V. RELATED LITERATURE
In recent years, extensive research has been conducted
on analyzing and detecting mobile malware. Security ven-
dors and researchers commonly employ three methods for
extracting features from mobile applications: static analysis,
dynamic analysis, and hybrid analysis (a combination of
static and dynamic approaches). This section provides a
discussion on the recent related studies to the detection
approaches which include static, dynamic, and hybrid
analyses.
A. STATIC ANALYSIS
Bourebaa and Benmohamed [47] presented a model that
used DL algorithm. They incorporated features such as
permissions and APIs, and they were able to develop
an automated and efficient method for detecting Android
malware. Their approach yielded a detection accuracy of
88.9%. They used fully connected neural networks (NNs)
as an ML model. It consists of neurons organized in
interconnected layers. The first layer receives the input and
the hidden layers and the last one produces the desired result.
The author used 512 neurons in the input layer, 8 neurons
in the hidden layer, and 3 output nodes that produced the
result.
Dhalaria and Gandotra [48] proposed an effective frame-
work that combines static features and utilizes ML classifiers.
Three types of static features were extracted: API calls,
permissions, and intents. API calls were extracted from
classes.dex, while permissions and intents were extracted
from AndroidManifest.xml. The results from the test indicate
that the combination of features outperforms individual
features. Additionally, it was found that random forest
(RF) and k-nearest neighbors (K-NN) classifiers achieve the
highest accuracy.
Lee et al. [31] investigated the impact of using genetic
algorithms and information gain on the performance of
malware detection systems. Moreover, the authors compared
the performance and the time taken to build the model for
each feature selection method. They found that the genetic
algorithm achieved better accuracy; however, it consumed
more time.
VOLUME 12, 2024
Arslan et al. [49] introduced a static-based methodology
to distinguish between malicious and benign applications.
The core of this approach is assessing the permissions
requested by applications in their ‘AndroidManifest.xml’
files and determining how many of these permissions are used
in the source code. Applications that request unnecessary
permissions, which are not essential for their functionality,
are categorized as risky and a suspicion value is assigned
to them. Consequently, applications with suspicion values
higher than a pre-determined mean value are classified as
malicious applications.
Akbar et al. [50] proposed a malware detection system
based on the permission requested by the applications.
To enhance the classification of malware, additional metrics
such as permission rate and smali size are collected for
both benign and malware training datasets. They applied the
genetic algorithm to the malware detection approach to obtain
the most optimized features and efficient approach. The pro-
posed approach comprises three modules—data preparation,
decoding the AndroidManifest.xml, and classification; each
module contains several steps. They concluded that feature
selection reduces the compute complexity.
Gao et al. [51] proposed Android malware detection
and family classification based on the graph convolutional
network (GCN). First, they extracted the frequency and
patterns of API usage within the applications. Then, they
performed API embedding. This process represents the APIs
as numerical vectors, where each API is assigned a unique
vector representation. Thereafter, they measured the distance
or similarity between API embeddings. APIs that are used in
similar contexts or exhibit similar patterns of co-occurrence
will have smaller distances between their embeddings. Next,
applications and APIs are mapped into a heterogeneous
graph, and ‘‘App-API’’ and ‘‘API-API’’ edges are built.
Finally, the GCN model is trained and unlabeled applications
are classified.
Sangal and Verma [52] used CICInvesAndMal2019 as
a dataset and extracted Android permissions and intent
as a feature set for malware detection. The features were
selected based on the principal component analysis (PCA)
reduction technique. The implementation of the feature
reduction technique revealed that it is possible to achieve
higher accuracy in detection, while minimizing processing
overhead. By reducing the number of features used in the
detection process, the computational resources required for
analysis and classification decreased.
Balcioglu [53] proposed a method for malware analy-
sis and detection. This method involved examining static
attributes including manifest permissions, API call signa-
tures, intent filters, command signatures, and binaries. Naive
Bayes, K-NN, and multiLayer perceptron are the ML models
that were used in this work for training and validation along
with a method called PCA, which is used to reduce the
number of attributes required to accurately characterize each
app. The conducted experiment revealed that multiLayer
173177
 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
perceptron has the highest level of accuracy, but requires
a long time for training compared to other ML models
used in this experiment. Moreover, Balcioglu concluded that
the two attributes that distinguish malware from benign
applications are the feature to read phone attitude and the
Internet.
Yumlembam et al. [54] proposed malware detection
for applications in Android-based IoT devices. For the
classification, they used graph NNs, which is a type of DL that
provides graph-based classification. They used permission
and intent features for training and testing.
Li et al. [55] presented a method to identify malware
applications in Android devices using static analysis and
that is based on program genes. Program gene refers to the
smallest unit within a program in which the static components
are dynamically expressed. These genes are composed of
short sequences of assembly instructions that are designed
to perform particular tasks or fulfill specific functions. They
enable modularity and reusability in programming. After
extracting the program gene, the authors used the information
gain method for feature selection. Following this, they
employed the Word2Vec technique to express the semantic
abstraction of the selected features. Finally, these selected
features are used in the training and testing.
Khariwal et al. [56] presented a static technique for
detecting Android malware by extracting intents and per-
missions. Initially, the permissions and intents were ranked
using the information gain method. Subsequently, the goal
was to identify the optimal combination of permissions and
intents that could yield improved accuracy by employing
various ML algorithms. The experimental results confirmed
that the proposed approach of combining permissions and
intents yielded higher detection accuracy compared to using
permissions or intents alone.
Smmarwar et al. [57] proposed a framework that provides
a secure and sustainable environment for malware detection.
They used permissions, intents, and API as the static features
to classify the Android application. The proposed model
performed accurately in malware detection; in contrast,
it achieved an accuracy of less than 85% for malware family
classification.
Elayan and Mustafa [58] presented a model for Android
malware detection using a gated recurrent unit which is a type
of DL. They extracted two static features, Permission and
API calls, from applications. First, the authors compared the
performance of multiple ML models, such as support vector
machine (SVM), decision tree (DT), and RF. They compared
the result of these models to a gated recurrent unit that
contains three blocks. They concluded that DL outperforms
the traditional ML models.
Kesani [59] aimed to test the performance of different ML
models, including K-NN, Gaussian Naïve Bayes, SVM, DT,
RF, logistic regression, and sequential neural network (SNN).
The author utilized only permission features to detect the
presence of malware in Android applications. SNN achieved
173178
the highest accuracy of 98.82% and the Gaussian Naive Bayes
model obtained the lowest accuracy.
Mahindru et al. [60] introduced a feature selection
framework that is based on univariate logistic regression
and multivariate linear regression. Then, the relevant features
are used as input to six ensemble ML techniques, which
are gradient descent with momentum (GDM), gradient
descent method with adaptive learning rate (GDA), levenberg
marquardt (LM), quasi-newton (NM), gradient descent (GD),
and deep neural network (DNN). The authors utilized
permission and API calls for detecting Android malware.
They obtained an accuracy of 98.8%.
Odat and Yaseen [61] contributed by extracting a new
dataset that based on three datasets, which are Drebin,
Malgenome, and MalDroid2020. To evaluate the proposed
model, multiple ML models were used and compared based
on their accuracy. Permission and API calls were extracted
from the APK file using APKtools and then fed into the ML
models. The results revealed that the RF model outperformed
other ML models.
Aamir et al. [62] proposed a novel deep learning approach
for Android malware detection that used CNN as a classifica-
tion method. The authors converted the APK file information
into a two-dimensional image representation because CNN
performs better with visual data. Because the dataset is
imbalanced, the use of oversampling or undersampling
techniques is required, but the authors did not discuss the use
of these techniques or how the dataset was balanced.
Alhussen [63] leveraged long short-term memory (LSTM)
and NN for detecting malware in Android applications. Due
to the imbalanced dataset, the author applied the synthetic
minority over-sampling technique to balance the number of
benign and malware samples. The result revealed that LSTM
outperformed NN.
B. DYNAMIC ANALYSIS
Hashem El Fiky et al. [64] proposed an ML approach for
the dynamic analysis of Android malware for detecting and
identifying Android malware categories. The major dynamic
characteristics that were extracted in these approaches are
network, memory, battery, logcat, and process. The authors
used many ML models and compared their accuracy and
effectiveness. In the result, they noted that the best classifier
is RF which achieves over 96% accuracy.
Abuthawabeh [1] presented a supervised-based model that
can enhance the adepth and accuracy of the malware detection
process. He used three feature selection algorithms—RF,
recursive feature elimination (RFE), and LightGBM. Next,
three ML algorithms were selected for evaluation: DT,
RF, and extra-trees. Finally, a comparison among these
algorithms was made. The result revealed that the Extra-trees
classifier had achieved the highest weighted accuracy per-
centage among the other classifiers by 87.75% for malware
detection.
VOLUME 12, 2024
S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
Further, Zulkifli et al. [65] presented a detection technique
based on network traffic for Android OS. In this technique,
an application of packet capture, such as tpacketcapture, was
run during the execution of the tested sample to capture
the network traffic generated by the samples. Thereafter, the
behavior of the samples was then analyzed. The captured
file was sent to Wireshark software to be analyzed. Some of
the network traffic features that were extracted and analyzed
from the running tested application are average packet size,
ratio of incoming to outgoing bytes, average number of bytes
received per second, and average number of bytes sent per
flow.
Mahindru and Sangal [66] proposed a framework that
detects malware from Android applications by performing
dynamic analysis. Their model is trained by using the
dynamic behavior of real-world applications that were
collected from different promised repositories and the
experiment was performed on over 500,000 Android appli-
cations. They explored four types of ML models that are
not widely used, which are the farthest first clustering,
nonlinear ensemble decision tree forest approach, multilayer
perceptron and DL algorithm. They extracted features from
the tested application while running them in an emulator.
Each application is represented as an 1844-dimensional
Boolean vector, where ‘‘1’’ implies that the application
requires the specified features and ‘‘0’’ implies that features
are not required.
Thangavelooa1 et al. [67] provided a dynamic analysis
technique in Android malware detection called DATDroid.
Five dynamic features including system calls, system call
process errors and time, CPU usage, memory, and network
packets are extracted. A few sub-features are extracted
from each main feature; for example under system calls,
there are a few sets of features, such as errors, total calls,
total errors, and so on. Numerous tools were used in this
project to extract the required features. For example, for
Android Debug Bridge, shell is used to collect the CPU
usage during execution and Tcpdump is used to capture the
network packets while the applications are running on the
virtual machine. Moreover, Wireshark is used to analyze
the captured traffic. The experimental results in this project
achieved an overall accuracy of 91.7%, with lower false
positive rates compared to the benchmarked method.
Wang et al. [68] introduced a lightweight method that
combines dynamic analysis and ML that and capable of
identifying Android malware. The proposed method can
effectively identify malicious network behavior by analyzing
network traffic. It focuses on analyzing hypertext transfer
protocol (HTTP) requests and transmission control protocol
(TCP) flows to determine if an application is malicious.
Furthermore, it provides clear indications regarding the
specific malware family to which the application belongs.
Additionally, the method offers a detailed explanation for its
findings.
VOLUME 12, 2024
Bibi et al. [69] proposed a technique that is designed
to specifically detect sophisticated Android malware. The
authors used a gated recurrent unit which is a type of DL.
They evaluated the performance of their technique using
standard performance metrics as well as by comparing it to
other similar works. They concluded that the efficient and
timely detection of their technique aids in mitigating and
ceasing attacks
Bhati and Kaushal [70] proposed an approach that extracts
all the system calls made by the application during the run
time. Then, all the collected system calls are analyzed in
order to classify the application as malware or benign. The
approach was implemented using DT and RF. Moreover, they
compared these models in terms of accuracy; RF achieved a
better accuracy level than DT.
Haidros and Naik [71] presented a framework consisting of
three modules. In the first module, they used the Monkey tool
to extract the dynamic features from an application. Then,
the second module involved selecting only the important
features using the Chi-square method to train and detect the
applications. The last module responsible for the detection
of the malware used seven different ML models. They
compared the performance of these models and concluded
that AdaBoost had the best accuracy level.
Xiong and Zhang [72] argued that the existing approaches
with a single ML model have limitations in generalizing
among multiple malware behaviors. Hence, they proposed
a multimodel approach that combines logistic regression,
DT, and K-NN. The authors utilized dynamic features such
as TCP packet information. Their experiment revealed that
integrated models outperform single models.
C. HYBRID ANALYSIS
García et al. [73] proposed a new tool for the extraction of
both static and dynamic features from Android applications
for malware detection. This tool performs code inspection in
order to retrieve a wide set of characteristics and processes
all the information collected. The features utilized are
organized into three different categories (pre-static, static,
and dynamic). Pre-static features include information that
is extracted without code inspection, such as file name and
package name. The static features included in this tool are
API calls, activities, opcodes, services, and permissions. The
final set of features is extracted by monitoring the execution
of the application in a controlled environment.
Wen and Yu [74] presented a system for malware detection
that extracted features based on both static and dynamic
analysis. They used a feature selection approach using PCA
and Relief to reduce the dimensionality of the features.
Subsequently, a classification model is built using SVM. The
experimental results demonstrated that the system offers an
effective method for detecting Android malware.
Taher et al. [75] offered a hybrid approach that combines
static and dynamic malware analysis to provide a full view
173179
 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
of the threat. In the feature selection phase of their approach,
static characteristics—such as command strings, API calls,
intents, and permissions—were extracted. Additionally,
dynamic analysis of the malware involved extracting ele-
ments, such as cryptographic activities, dynamic approvals,
system calls, and information leakage.
Alzaylaee et al. [76] proposed a system called DL-
Droid. It is a DL system that detects malicious Android
applications by static and dynamic analysis. In the system,
the authors only extracted Android permissions statically
before each run and then extracted the API calls that the
application invokes dynamically at run time. The system
is evaluated using 31,125 samples and its performance
demonstrated that the system achieved high accuracy better
than traditional ML classifiers -based Android malware
detection frameworks. Their study revealed that DL-Droid
achieved up to 97.8% detection rate with dynamic features
only and 99.6% detection rate with a combination of both
static and dynamic features.
Asim et al. [77] proposed an approach that is particularly
designed for detecting Trojan horse malware using both static
and dynamic features. The authors extracted over 20 features
related to different categories, such as network usage, CPU
usage, and permission. SVM obtained the best performance
among the employed ML models.
Mantoo and Khurana [78] presented a hybrid approach
of static, dynamic, and intrinsic features-based malware
detection using k-NN and logistic regression ML algorithms.
They used 20 features, including the API calls that the system
invokes during execution as the dynamic analysis, the size of
the application as intrinsic features, and permission-related
features as static analysis. The static features were extracted
using apktool. The dynamic features are extracted by
installing each application in the restricted environment of
Genny Motion Studio. Both k-NN and logistic regression
showed an accuracy of 97.5%.
Kouliaridis et al. [79] introduced an automated hybrid
analysis tool that extracted groups of static and dynamic
features to analyze the behavior of an application on
the Android platform. A total of six feature categories
were investigated, including permissions, intents, API
calls, network traffic, inter-app communication, and Java
classes.
Among these categories, only permissions, intents, and
API calls apply to static analysis. The authors found that
the API calls category tended to enhance the performance of
Additionally, the Java classes category also achieved notably
high average importance scores. The experiment for this
study was done over three different datasets in order to show
that this hybrid analysis of Android applications can greatly
improve the detection capabilities of a malware detection
model.
Yang et al. [80] proposed a two-stage mechanism for
detecting and classifying Android malware using ML algo-
rithms. The approach involves utilizing static analysis to
173180
extract package features, permission features, component
features, and triggering mechanisms from the software.
Dynamic analysis tools are employed to capture the soft-
ware’s dynamic behavioral characteristics and, subsequently,
the static and dynamic features are formatted. Finally, the
feature eigenvectors are processed using ML algorithms in
two stages, which results in the classification of the software
as malicious or benign. The accuracy of malware detection
and malicious family classification is 95.9% and 94.8%,
respectively.
Atacak et al. [81] presented a malware detection model
that intended to improve the detection accuracy and reduce
the required time. The detection in this method is based on
permission information from the applications. The proposed
model reached an accuracy of 92%.
Xu et al. [82] proposed a framework that involved
extracting network traffic features as dynamic features and
converting them to two-dimensional images. Moreover, the
approach included the use of program code as the static
feature. Each of these features is processed and analyzed
individually, and then the results of the analysis are used to
classify the application and categorize the malware.
Table 8 presents a summary of the related studies that
addressed Android malware detection techniques with their
corresponding contributions and limitations.
VI. RESULTS AND DISCUSSION
This section wraps up several key findings based on the
reviewed studies in the previous section.
A. ANALYSIS APPROACHES
As indicated by Venkatraman and Alazab [85], static analysis
is considered faster and more effective than dynamic analysis
due to its advantages in capturing information related to
structural properties, such as byte sequence ‘‘signatures’’
and anomalies in file content. Dynamic analysis can be
effective by utilizing run-time information, such as running
processes or employing control flow graphs, which can be
less susceptible to obfuscated malware. Moreover, dynamic
malware analysis requires the user to install and execute
the application, potentially impacting user data. Malicious
behavior may occur during the application’s execution or
even immediately after installation, potentially compromis-
ing the user’s sensitive information.
Based on the reviewed studies, it is identified that 50% of
the related studies used static analysis as a malware detection
approach, 25% used hybrid analysis, and 25% used the
dynamic analysis technique. This is presented in Figure 6.
The increased use of static analysis demonstrates its high
effectiveness as an application analysis approach. Moreover,
the resource consumption involved in static analysis is lower
when compared with the other two methods. In a study
conducted by Gorment et al. [86] on malware detection for
different platforms, it was found that 53.3% of the studies
focused on static analysis. In contrast, dynamic analysis
VOLUME 12, 2024
S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML

TABLE 8. Summary of reviewed papers.

VOLUME 12, 2024 173181

 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML

TABLE 8. (Continued.) Summary of reviewed papers.

173182 VOLUME 12, 2024

S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML

TABLE 8. (Continued.) Summary of reviewed papers.

VOLUME 12, 2024 173183

 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML

TABLE 8. (Continued.) Summary of reviewed papers.

173184 VOLUME 12, 2024

S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
accounted for 28.9% and hybrid analysis for 17.8%. This also
highlights the significant effectiveness and attractiveness of
static analysis for malware detection, not only for Android
OS but also across various platforms.
FIGURE 6. Malware analysis techniques used in the research papers
covered in this survey.
TABLE 9. Static features used in studies covered in this survey.
B. EXTRACTED STATIC FEATURES
Static analysis involves the examination of source code
without executing the application. It involves analyzing the
code structure, syntax, and semantics to detect the presence
of malware. In this subsection, the most widely extracted
static features based on the reviewed studies are discussed and
defined. Based on Table 9, which presents the extracted static
features that are used by the reviewed papers that proposed
VOLUME 12, 2024
static-based malware detection. Three main features were
mostly used by researchers, which are enumerated below:
• Permissions features: Android applications request var-
ious permissions to access certain sensitive resources or
data in order to perform their functional requirements
and complete specific actions on a mobile device.
Users have to allow the requested permissions by
applications [87]. Malicious applications often request
excessive or unnecessary permissions, which indicates
suspicious behavior.
• Intent: Intent is a fundamental component of Android’s
inter-application communication system [88]. When one
activity within an application needs to communicate
with another activity, it generates an intent. An intent
serves as a message or request that encapsulates
the important information that the sending activity
wants to communicate to the receiving activity [89].
ML algorithms can consider intent features, such as
intent filters and action names. Intent filters define the
types of intents an application can respond to, and action
names specify the specific actions the application can
perform [90], [91].
• API calls: API calls are important for Android applica-
tions because they allow the application to interact with
devices [92]. An API call typically involves sending a
request to a server to fetch or send data. This can include
retrieving information from a database or submitting
data to be processed and stored [93].
ML algorithms can analyze permission features, which
provide information regarding the access and capabilities
requested by the applications. Certain permissions are com-
monly associated with malicious behavior, such as accessing
the exact location of the device and having details about
the SMS messages. ML algorithms can learn to recognize
these patterns and classify applications as malicious based
on suspicious permission requests [94]. Moreover, certain
combinations of intent filters and action names can indicate
malicious behavior. Further, by analyzing the sequence and
patterns of API calls made by an application, ML algorithms
can identify suspicious behavior that may indicate malware.
Permission features are the most widely used features
followed by API calls, and intent features, as illustrated in
FIGURE 7. Extracted static features in the reviewed papers.
173185
 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML

Figure 7. Other features include those that were used only by TABLE 10. Accuracy achieved by each paper.
one study, such as binaries and program genes.

C. PERFORMANCE OF ML ALGORITHMS
Ten ML algorithms were widely used and achieved the best
results based on the reviewed studies. Figure 8 illustrates the
percentage use of these ML algorithms, which have attained
the highest accuracy rates in certain papers compared to other
ML models. The analysis reveals that the RF algorithm is the
most commonly used, followed by DT and SVM with similar
usage percentages. RF is effective for malware detection and
is robust against overfitting [95], [96], which could explain
its popularity in the analyzed studies.
Even though RF is more commonly used overall, it is
important to note that it may not always guarantee the highest
accuracy in every scenario. As shown in Table 10, the highest
accuracy rates were achieved by other algorithms, such as
logistic regression with 100% accuracy [79], CNN with
99.92% accuracy [62], and DT with 99.6% accuracy [76] for
malware detection. The choice of algorithm should be based
on a thorough evaluation and consideration of the specific
dataset and problem domain.

FIGURE 8. Used ML algorithm in the analyzed papers.

discussed. The following points outline the main findings and

Even though the recently proposed studies by researchers
have a great accuracy detection rate, a few studies took into
consideration the time taken to train and test the models.
For example, in a work proposed by Balcioglu et al. [53],
the accuracy achieved was close to 99%, but the time taken
was very long. Bibi et al. [69] revealed a long detection time
compared to similar studies. Therefore, it is essential to create
a balance between achieving high accuracy and considering
the time aspect in malware detection approaches. To ensure a
good user experience, it is important to build a fast detection
system while maintaining a high level of accuracy.
D. SUMMARY OF MAJOR FINDINGS AND LIMITATIONS
The aim of this section is to provide a summary of the
major findings from the SLR on Android malware detection
using supervised ML models, discussing the significant
contributions, and conclusions of the reviewed studies. Addi-
tionally, the limitations identified throughout the literature are
key limitations uncovered during the SLR:
1) The high percentage of static analysis-based appro-
aches may indicate their widespread adoption and
effectiveness in malware detection.
2) The most commonly used static features for malware
detection are permissions, intents, and API calls.
3) Among the ML algorithms used, RF is the most
commonly used, followed by DT and SVM. RF is
effective for malware detection and robust against
overfitting, which could explain its popularity.
4) It is important to balance achieving high accuracy
and considering the time aspect in malware detection
approaches. Certain studies have achieved close to 99%
accuracy, but with long detection times, which is a
critical factor for practical implementation.
5) Dataset issues are identified as the most common
limitation in the SLR. This is not only because of the
size of the used datasets; the use of the outdated dataset

173186 VOLUME 12, 2024

S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
also contributed to this issue. An old dataset may not
reflect current trends and behaviors of malware.
6) A few of the studies have used imbalanced datasets,
which leads to trained models that are biased toward
the majority class.
7) While accuracy is an important metric for evaluating
the ML models’ performance, it should not be the only
focus. Other aspects, such as resource consumption
and the time taken to train and test, should also be
considered to provide a comprehensive evaluation of
their ML models.
8) Despite the high accuracy rates achieved in many
studies, the majority of them did not test their ML
models in real-world scenarios to evaluate their actual
performance of the ML models and the generalization
of the dataset. Evaluating the ML models using real-
world data, rather than just on the training and testing
datasets, is important to assess their robustness and
effectiveness in applications.
9) Android devices typically have limited CPU, memory,
and battery resources compared to desktops. Highly
accurate ML models, particularly ensemble models,
for malware detection may have a large number
of parameters and require significant computational
resources. Running these complex models directly
on Android devices may not be feasible due to the
limited resources available. In addition, this may cause
latency in malware detection, which can impact the user
experience.
10) The ML models should be able to generalize well
and detect not only known malware but also new,
previously unseen threats. This requires the models
to learn the underlying patterns and characteristics
of malware, rather than relying solely on specific
signatures.
E. REGULATORY AND ETHICAL IMPLICATIONS
The integration of ML algorithm in malware detection and
analysis introduces not just technological advancements but
also regulatory of ethical considerations. Malware detection
often relies on analyzing large datasets of applications
and user behavior, which may include sensitive user data
and personal information. Malware detection systems must
analyze the system in depth, from reading the content of
all files to observing the behavior of all processes. Hence,
developers and researchers must ensure strict compliance
with data privacy regulations—such as the General Data
Protection Regulation (GDPR)—when collecting, storing,
and processing this data for ML-based malware detection
[98]. Appropriate measures should be taken to anonymize
and protect user data, thereby minimizing the risk of personal
information leaks or misuse.
Moreover, depending on the jurisdiction, the deployment
of Android malware detection systems may be subject to
specific regulations, such as those related to data protection,
VOLUME 12, 2024
algorithmic decision-making, and the use of AI in security
applications. Researchers and developers must ensure that
their solutions comply with all relevant regulations and
industry standards to mitigate legal and ethical risks.
VII. RECOMMENDATIONS FOR FUTURE RESEARCH
DIRECTIONS
There is still room for further research to enhance the effec-
tiveness, efficiency, and resilience of ML-based approaches
for malware detection. In this section, a set of recom-
mendations for future research directions in the field of
ML-based Android malware detection are presented. These
recommendations aim to address existing challenges and
push the boundaries of detection capabilities. Exploring
these research directions can enhance the state-of-the-art
in Android malware detection and develop better solutions.
Based on this study, the authors suggest additional future
investigation in the following directions::
A. EXPLORING OTHER STATIC FEATURES
The existing literature has mainly focused on utilizing
traditional static features—such as API calls, permissions,
and file metadata—for Android malware detection. However,
there are still more static features that need to be addressed
and explored by researchers for malware detection in Android
OS. An example of these features is Opcode features,
which can be found in a class.dex file [99]. The opcode
sequences represent the low-level instructions executed by
the application on the target platform. Furthermore, code
comments could be used for malware detection because
developers may leave comments that may contain hints
related to their malicious activities. However, a key challenge
faced by researchers in exploring these novel feature sets
is the lack of publicly available datasets that include these
attributes.
To address this gap, future research should focus on the
development of comprehensive datasets that capture a diverse
set of static features, including opcode sequences and code
comments, in addition to traditionally utilized attributes.
B. EXPLAINABLE MACHINE LEARNING TECHNIQUES
While NN and other complex ML models have demonstrated
impressive performance in Android malware detection, they
often act as black boxes, thus making it challenging to
understand how they classify the Android application. This
lack of transparency leads to a significant challenge, as it can
affect the trust and reliability of these models, particularly in
high-risk domains such as cybersecurity.
To address this issue, researchers have been focusing more
on the field of explainable ML (XML). XML techniques
aim to develop models that not only provide accurate
predictions but also offer interpretable explanations for their
decisions. In the context of Android malware detection,
XML approaches will be able to bridge the gap between
model accuracy and model interpretability. Moreover, a clear
173187
 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
understanding of reasons underlying the model’s decisions
enables researchers to assess its generalization capabilities
and develop more robust malware detection systems.
C. DEEP LEARNING NEEDS TO BE UTILIZED MORE IN
ANDROID SECURITY
While DL models have showed outstanding performance in
multiple domains, such as computer vision, their application
in Android malware detection is still in the early stages and
needs to be discovered more. However, deploying DL mod-
els on resource-constrained devices introduces challenges
related to resource consumption and model size. In addition,
the lack of comprehensive and high-quality datasets of
Android malware samples is another challenge.
The authors encourage researchers to make further
advances in utilizing DL models and address related chal-
lenges to enable practical deployment of DL-based malware
detection on Android.
D. DETECTION OF COLLUDING APPLICATIONS
Colluding applications refer to a group of Android applica-
tions that work together to perform malicious activities that
they are unable to do independently. These applications may
communicate and exchange information covertly, thereby
causing a significant threat to the overall security and privacy
of Android devices [100]. This is an emerging threat.
The reason why this is considered an emerging threat is that
traditional Android malware detection systems typically scan
applications individually to determine if they are malicious.
However, in this case, the malicious activity is being
conducted by a group of applications colluding with each
other. Traditional detectors are unable to identify this type
of threat, as they are not designed to detect the collaborative
nature of the malicious behavior.
To address this issue, a new model is needed that can
effectively detect these colluding applications. Unfortunately,
there has been very little research conducted in this area, and
there is a lack of datasets available to support the development
of this model.
VIII. THREATS TO VALIDITY
Every research study, including an SLR, faces potential
threats to the validity of its findings. In this section, the threat
to validity that are experienced while conducting this SLR are
discussed.
Construct validity is about the collection of primary
studies. In this paper, the authors likely have a few errors
in the screening process based on the inclusion or exclusion
criteria. This cross-checking method was employed to help
validate the final set of included studies and further mitigate
the risk of errors in the study selection.
Internal validity is related to extracting and analyzing
data. It is related to the soundness of the applied review
process. There was a heavy workload during the process
of data extraction and data analysis. Hence, the data was
cross-checked and reviewed until all authors agreed on
the comparison results. However, the possibility of certain
173188
residual errors in data extraction and analysis cannot be
eliminated.
External validity deals with the summary of the results
obtained from the primary studies. The review collected
research publications from 2017 to 2024 to provide a
comprehensive overview of Android malware detection using
ML models up to the present time. ML models and techniques
for malware detection have increased significantly during
this period due to recent advances in malware and software
security. The trends in this field could vary across different
periods. Thus, the analysis presented in the review may not
fully capture comprehensive studies conducted before the
period.
IX. CONCLUSION
With the increasing popularity and widespread use of
Android devices, the risk of malicious software that targets
these platforms is also on the rise. Android malware presents
dangers to user privacy, data security, and the overall
performance of devices. Efficient and accurate Android
malware detection not only protects individual users’ privacy
and data security but also preserves the integrity of enterprise
networks and sensitive information. The security model of
Android is highly reliant on permission based model where
the developer declare the required permission and the users
grant this permission. Based on a recently proposed paper by
researchers, the security weaknesses related to the Android
application and Google Play review process are highlighted
and summarized.
This paper presented an SLR of existing works related to
ML-based malware detection. After conducting the review,
static analysis was identified as the widely used analysis
approach for malware detection in Android application,
responsible for 50% of the reviewed papers. Another key
finding is that permissions features were the mostly used
static features, followed by API calls features. Moreover,
the authors discovered that RF was the most used ML
model for Android malware detection and classification.
Even though it is the most commonly used model, the highest
accuracy was achieved with other ML models, such as logistic
regression and DT. Based on the findings from existing
studies in this field, it is concluded from this SLR that
Android malware detection using the ML model still faces
challenges and limitations. Database issues were identified
as the most significant limitation in the reviewed papers.
Another limitation was the lack of model evaluation in a real-
world scenario, which did not ensure model robustness and
dataset generalization. To address these challenges, future
research directions are provided. The findings of the review
contribute to a deeper understanding of the current state of
the field and can serve as a foundation for researchers to build
upon.
REFERENCES
[1] M. K. A. Abuthawabeh, ‘‘Android malware detection based on network
traffic using CICAndMal2017 dataset,’’ Ph.D. dissertation, Sci. Inf. Syst.
Secur. Digit. Criminology, Princess Sumaya Univ. Technol., Amman,
Jordan, 2019.
VOLUME 12, 2024
S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
[2] S. Garg and N. Baliyan, ‘‘Comparative analysis of Android and iOS
from security viewpoint,’’ Comput. Sci. Rev., vol. 40, May 2021,
Art. no. 100372. [Online]. Available: https://www.sciencedirect.com/
science/article/pii/S1574013721000125
[3] A. B. Yilmaz, Y. S. Taspinar, and M. Koklu, ‘‘Classification of malicious
Android applications using naive Bayes and support vector machine
algorithms,’’ Int. J. Intell. Syst. Appl. Eng., vol. 10, no. 2, pp. 269–274,
2022.
[4] Ö. A. Aslan and R. Samet, ‘‘A comprehensive review on malware detection
approaches,’’ IEEE Access, vol. 8, pp. 6249–6271, 2020. [Online].
Available: https://api.semanticscholar.org/CorpusID:210692077
[5] I. A. Saeed, A. Selamat, and A. M. A. Abuagoub, ‘‘A survey on malware
and malware detection systems,’’ Int. J. Comput. Appl., vol. 67, no. 16,
pp. 25–31, Apr. 2013.
[6] R. Tahir, ‘‘A study on malware and malware detection techniques,’’
Int. J. Educ. Manage. Eng., vol. 8, no. 2, pp. 20–30, Mar. 2018.
[7] A. Sharma and S. K. Sahay, ‘‘Evolution and detection of polymorphic and
metamorphic malwares: A survey,’’ 2014, arXiv:1406.7061.
[8] P. Vinod, R. Jaipur, V. Laxmi, and M. Gaur, ‘‘Survey on malware detection
methods,’’ in Proc. 3rd Hackers’ Workshop Comput. Internet Secur.
(IITKHACK), Mar. 2009, pp. 74–79.
[9] N. Milosevic, A. Dehghantanha, and K.-K.-R. Choo, ‘‘Machine learning
aided Android malware classification,’’ Comput. Electr. Eng., vol. 61,
pp. 266–274, Jul. 2017. [Online]. Available: https://www.sciencedirect.
com/science/article/pii/S0045790617303087
[10] Y. Pan, X. Ge, C. Fang, and Y. Fan, ‘‘A systematic literature review of
Android malware detection using static analysis,’’ IEEE Access, vol. 8,
pp. 116363–116379, 2020.
[11] N.-U.-R. Chowdhury, A. Haque, H. Soliman, M. S. Hossen, T. Fatima,
and I. Ahmed, ‘‘Android malware detection using machine learning:
A review,’’ in Proc. Intell. Syst. Conf. Amsterdam, The Netherlands:
Springer, 2023, pp. 507–522.
[12] Z. Wang, Q. Liu, and Y. Chi, ‘‘Review of Android malware detection based
on deep learning,’’ IEEE Access, vol. 8, pp. 181102–181126, 2020.
[13] V. Kouliaridis and G. Kambourakis, ‘‘A comprehensive survey on machine
learning techniques for Android malware detection,’’ Information, vol. 12,
no. 5, p. 185, Apr. 2021.
[14] J. Senanayake, H. Kalutarage, and M. O. Al-Kadri, ‘‘Android mobile mal-
ware detection using machine learning: A systematic review,’’ Electronics,
vol. 10, no. 13, p. 1606, Jul. 2021.
[15] M. Haris, B. Jadoon, M. Yousaf, and F. Khan, ‘‘Evolution of Android
operating system: A review,’’ in Proc. 2nd Int. Conf. Adv. Res., 2017,
pp. 1–11.
[16] R. Sain. (2024). Android OS History and Versions. Accessed: Jul. 2024.
[Online]. Available: https://www.naukri.com/code360/library/Android-os-
history-and-versions
[17] R. Vaidya. Android Architecture: Layers and Important Components.
Accessed: Nov. 26, 2023. [Online]. Available: https://www.elluminatiinc.
com/android-architecture/n
[18] N. Rahimi, J. Nolen, and B. Gupta, ‘‘Android security and its
rooting—A possible improvement of its security architecture,’’ J. Inf.
Secur., vol. 10, no. 2, pp. 91–102, 2019.
[19] Y. Chen, ‘‘Research on Android architecture and application
development,’’ J. Phys., Conf. Ser., vol. 1992, no. 2, Aug. 2021,
Art. no. 022168.
[20] P. Uttarwar, R. P. Tidke, D. S. Dandwate, and U. J. Tupe, ‘‘A literature
review on Android—A mobile operating system,’’ Int. Res. J. Eng.
Technol., vol. 8, no. 1, pp. 1–6, 2021.
[21] M. Ashawa and S. Morris, ‘‘Analysis of mobile malware: A systematic
review of evolution and infection strategies,’’ J. Inf. Secur. Cybercrimes
Res., vol. 4, no. 2, pp. 103–131, Dec. 2021.
[22] M. Yousefi-Azar, L. G. C. Hamey, V. Varadharajan, and S. Chen,
‘‘Malytics: A malware detection scheme,’’ IEEE Access, vol. 6,
pp. 49418–49431, 2018.
[23] T. Trieu, ‘‘Android malware analysis,’’ M.S. thesis, Inf. Technol.,
Metropolia Univ. Appl. Sci., Finland, 2021.
[24] F. Martinelli, F. Mercaldo, V. Nardone, A. Santone, and G. Vaglini,
‘‘Model checking and machine learning techniques for HummingBad
mobile malware detection and mitigation,’’ Simul. Model. Pract. Theory,
vol. 105, Dec. 2020, Art. no. 102169.
[25] M. Naseer, J. F. Rusdi, N. M. Shanono, S. Salam, Z. B. Muslim, N. A. Abu,
and I. Abadi, ‘‘Malware detection: Issues and challenges,’’ J. Phys., Conf.
Ser., vol. 1807, no. 1, Apr. 2021, Art. no. 012011.
VOLUME 12, 2024
[26] M. Salman. (2024). What is Signature-Based Detection? Accessed:
Jul. 2024. [Online]. Available: https://www.educative.io/answers/what-is-
signature-based-detection
[27] M. Botacin, F. Ceschin, R. Sun, D. Oliveira, and A. Grégio, ‘‘Challenges
and pitfalls in malware research,’’ Comput. Secur., vol. 106, Jul. 2021,
Art. no. 102287.
[28] Z. Bazrafshan, H. Hashemi, S. M. H. Fard, and A. Hamzeh, ‘‘A survey
on heuristic malware detection techniques,’’ in Proc. 5th Conf. Inf. Knowl.
Technol., May 2013, pp. 113–120.
[29] What is Heuristic Analysis? Accessed: Jul. 2024. [Online]. Available:
https://www.fortinet.com/resources/cyberglossary/heuristic-analysis
[30] X. Meng, ‘‘An integrated networkbased mobile botnet detection system,’’
Ph.D. dissertation, Univ. London, London, U.K., 2018.
[31] J. Lee, H. Jang, S. Ha, and Y. Yoon, ‘‘Android malware detection using
machine learning with feature selection based on the genetic algorithm,’’
Mathematics, vol. 9, no. 21, p. 2813, Nov. 2021. [Online]. Available:
https://www.mdpi.com/2227-7390/9/21/2813
[32] K. Liu, S. Xu, G. Xu, M. Zhang, D. Sun, and H. Liu, ‘‘A review of Android
malware detection approaches based on machine learning,’’ IEEE Access,
vol. 8, pp. 124579–124607, 2020.
[33] M. Y. Wong and D. Lie, ‘‘Intellidroid: A targeted input generator for the
dynamic analysis of Android malware,’’ in Proc. NDSS, vol. 16, 2016,
pp. 21–24.
[34] N. Tarar, S. Sharma, and C. R. Krishna, ‘‘Analysis and classification of
Android malware using machine learning algorithms,’’ in Proc. 3rd Int.
Conf. Inventive Comput. Technol. (ICICT), Nov. 2018, pp. 738–743.
[35] V. Rao and K. Hande, ‘‘A comparative study of static, dynamic and
hybrid analysis techniques for Android malware detection,’’ Int. J. Eng.
Develop. Res., vol. 5, no. 2, pp. 1433–1436, 2017.
[36] N. Peiravian and X. Zhu, ‘‘Machine learning for Android malware
detection using permission and API calls,’’ in Proc. IEEE 25th Int. Conf.
Tools Artif. Intell., Nov. 2013, pp. 300–305.
[37] M. Alazab, M. Alazab, A. Shalaginov, A. Mesleh, and A. Awajan,
‘‘Intelligent mobile malware detection using permission requests and API
calls,’’ Future Gener. Comput. Syst., vol. 107, pp. 509–521, Jun. 2020.
[38] K. Sowndarajan and S. Binu, ‘‘Static analysis tool for identification of
permission misuse by Android applications,’’ Int. J. Appl. Eng. Res.,
vol. 12, no. 24, pp. 15169–15178, 2017.
[39] M. Bardus, M. A. Daccache, N. Maalouf, R. A. Sarih, and I. H. Elhajj,
‘‘Data management and privacy policy of COVID-19 contact-tracing apps:
Systematic review and content analysis,’’ JMIR mHealth uHealth, vol. 10,
no. 7, Jul. 2022, Art. no. e35195.
[40] R. Singh. (2014). An Overview of Android Operating System and
Its Security Features. [Online]. Available: https://api.semanticscholar.
org/CorpusID:11973006
[41] M. S. Ahmad, N. E. Musa, R. Nadarajah, R. Hassan, and N. E. Othman,
‘‘Comparison between Android and iOS operating system in terms of
security,’’ in Proc. 8th Int. Conf. Inf. Technol. Asia (CITA), Jul. 2013,
pp. 1–4.
[42] I. Mohamed and D. Patel, ‘‘Android vs iOS security: A comparative
study,’’ in Proc. 12th Int. Conf. Inf. Technol.-New Generat., Apr. 2015,
pp. 725–730.
[43] C. Nachenberg, ‘‘A window into mobile device security,’’ Symantec Secur.
Response, Moutain View, CA, USA, Tech. Rep., 2011.
[44] T.-M. Grønli, J. Hansen, G. Ghinea, and M. Younas, ‘‘Mobile application
platform heterogeneity: Android vs windows phone vs iOS vs Firefox OS,’’
in Proc. IEEE 28th Int. Conf. Adv. Inf. Netw. Appl., May 2014, pp. 635–641.
[45] S. Karthick and S. Binu, ‘‘Android security issues and solutions,’’ in Proc.
Int. Conf. Innov. Mech. Ind. Appl. (ICIMIA), Feb. 2017, pp. 686–689.
[46] D. Geneiatakis, I. N. Fovino, I. Kounelis, and P. Stirparo, ‘‘A permission
verification approach for Android mobile applications,’’ Comput. Secur.,
vol. 49, pp. 192–205, Mar. 2015.
[47] F. Bourebaa and M. Benmohammed, ‘‘A deep neural network model for
malware detection,’’ Int. J. Informat. Appl. Math., vol. 4, no. 1, pp. 1–14,
2021.
[48] M. Dhalaria and E. Gandotra, ‘‘A framework for detection of Android
malware using static features,’’ in Proc. IEEE 17th India Council Int. Conf.
(INDICON), Dec. 2020, pp. 1–7.
[49] R. S. Arslan, I. A. Doğru, and N. Barişçi, ‘‘Permission-based malware
detection system for Android using machine learning techniques,’’
Int. J. Softw. Eng. Knowl. Eng., vol. 29, no. 1, pp. 43–61, Jan. 2019.
173189
 S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
[50] F. Akbar, M. Hussain, R. Mumtaz, Q. Riaz, A. W. A. Wahab, and
K.-H. Jung, ‘‘Permissions-based detection of Android malware using
machine learning,’’ Symmetry, vol. 14, no. 4, p. 718, Apr. 2022.
[51] H. Gao, S. Cheng, and W. Zhang, ‘‘GDroid: Android malware detection
and classification with graph convolutional network,’’ Comput. Secur.,
vol. 106, Jul. 2021, Art. no. 102264.
[52] A. Sangal and H. K. Verma, ‘‘A static feature selection-based Android
malware detection using machine learning techniques,’’ in Proc. Int. Conf.
Smart Electron. Commun. (ICOSEC), Sep. 2020, pp. 48–51.
[53] Y. Balcioglu, ‘‘Malware analysis for effective Android malware detection,’’
in Proc. Int. Anatolian Congr. Sci. Res., Mar. 2023, pp. 1–9.
[54] R. Yumlembam, B. Issac, S. M. Jacob, and L. Yang, ‘‘IoT-based Android
malware detection using graph neural network with adversarial defense,’’
IEEE Internet Things J., vol. 10, no. 10, pp. 8432–8444, May 2023.
[55] Q. Li, G. Chen, and B. Li, ‘‘Android malware detection based on program
genes,’’ Secur. Commun. Netw., vol. 2023, pp. 1–11, Apr. 2023.
[56] K. Khariwal, J. Singh, and A. Arora, ‘‘IPDroid: Android malware detection
using intents and permissions,’’ in Proc. 4th World Conf. Smart Trends
Syst., Secur. Sustainability (WorldS4), Jul. 2020, pp. 197–202.
[57] S. K. Smmarwar, G. P. Gupta, S. Kumar, and P. Kumar, ‘‘An optimized
and efficient Android malware detection framework for future sustainable
computing,’’ Sustain. Energy Technol. Assessments, vol. 54, Dec. 2022,
Art. no. 102852.
[58] O. N. Elayan and A. M. Mustafa, ‘‘Android malware detection using deep
learning,’’ Proc. Comput. Sci., vol. 184, pp. 847–852, Jan. 2021.
[59] R. S. Kesani, ‘‘Android malware detection using machine learning,’’
M.S. thesis, Dept. Comput. Sci., Blekinge Inst. Technol., Valhallavägen,
2024.
[60] A. Mahindru, H. Arora, A. Kumar, S. K. Gupta, S. Mahajan, S. Kadry,
and J. Kim, ‘‘PermDroid a framework developed using proposed feature
selection approach and machine learning techniques for Android malware
detection,’’ Sci. Rep., vol. 14, no. 1, p. 10724, May 2024.
[61] E. Odat and Q. M. Yaseen, ‘‘A novel machine learning approach for
Android malware detection based on the co-existence of features,’’ IEEE
Access, vol. 11, pp. 15471–15484, 2023.
[62] M. Aamir, M. W. Iqbal, M. Nosheen, M. U. Ashraf, A. Shaf,
K. A. Almarhabi, A. M. Alghamdi, and A. A. Bahaddad, ‘‘AMDDLmodel:
Android smartphones malware detection using deep learning model,’’
PLoS ONE, vol. 19, no. 1, Jan. 2024, Art. no. e0296722.
[63] A. Alhussen, ‘‘Advanced Android malware detection through deep
learning optimization,’’ Eng., Technol. Appl. Sci. Res., vol. 14, no. 3,
pp. 14552–14557, Jun. 2024.
[64] A. H. E. Fiky, A. E. Shenawy, and M. A. Madkour, ‘‘Android malware
category and family detection and identification using machine learning,’’
2021, arXiv:2107.01927.
[65] A. Zulkifli, I. R. A. Hamid, W. M. Shah, and Z. Abdullah, ‘‘Android
malware detection based on network traffic using decision tree algorithm,’’
in Proc. 3rd Int. Conf. Recent Adv. Soft Comput. Data Mining (SCDM).
Johor, Malaysia: Springer, Feb. 2018, pp. 485–494.
[66] A. Mahindru and A. L. Sangal, ‘‘MLDroid—Framework for Android
malware detection using machine learning techniques,’’ Neural Comput.
Appl., vol. 33, no. 10, pp. 5183–5240, May 2021.
[67] R. Thangaveloo, W. W. Jing, C. K. Leng, and J. Abdullah, ‘‘DATDroid:
Dynamic analysis technique in Android malware detection,’’ Int. J. Adv.
Sci., Eng. Inf. Technol., vol. 10, no. 2, pp. 536–541, Mar. 2020.
[68] S. Wang, Z. Chen, Q. Yan, B. Yang, L. Peng, and Z. Jia, ‘‘A mobile
malware detection method using behavior features in network traffic,’’
J. Netw. Comput. Appl., vol. 133, pp. 15–25, May 2019. [Online]. Avail-
able: https://www.sciencedirect.com/science/article/pii/S1084804518
304028
[69] I. Bibi, A. Akhunzada, J. Malik, J. Iqbal, A. Musaddiq, and S. Kim,
‘‘A dynamic DL-driven architecture to combat sophisticated Android
malware,’’ IEEE Access, vol. 8, pp. 129600–129612, 2020.
[70] T. Bhatia and R. Kaushal, ‘‘Malware detection in Android based on
dynamic analysis,’’ in Proc. Int. Conf. Cyber Secur. Protection Digit.
Services (Cyber Security), Jun. 2017, pp. 1–6.
[71] H. H. R. Manzil and S. M. Naik, ‘‘DynaMalDroid: Dynamic analysis-
based detection framework for Android malware using machine learning
techniques,’’ in Proc. Int. Conf. Knowl. Eng. Commun. Syst. (ICKES),
Dec. 2022, pp. 1–6.
[72] S. Xiong and H. Zhang, ‘‘A multi-model fusion strategy for Android
malware detection based on machine learning algorithms,’’ J. Comput. Sci.
Res., vol. 6, no. 2, pp. 1–11, Jun. 2024.
173190
[73] A. Martín García, R. Lara-Cabrera, and D. Camacho, ‘‘A new tool for static
and dynamic Android malware analysis,’’ in Proc. 13th Int. FLINS Conf.
(FLINS), Sep. 2018, pp. 509–516.
[74] L. Wen and H. Yu, ‘‘An Android malware detection system based
on machine learning,’’ AIP Conf. Proc., vol. 1864, no. 1, 2017,
Art. no. 020136.
[75] F. Taher, O. AlFandi, M. Al-kfairy, H. A. Hamadi, and S. Alrabaee,
‘‘DroidDetectMW: A hybrid intelligent model for Android malware
detection,’’ Appl. Sci., vol. 13, no. 13, p. 7720, Jun. 2023.
[76] M. K. Alzaylaee, S. Y. Yerima, and S. Sezer, ‘‘DL-Droid: Deep learning
based Android malware detection using real devices,’’ Comput. Secur.,
vol. 89, Feb. 2020, Art. no. 101663.
[77] S. Ullah, T. Ahmad, A. Buriro, N. Zara, and S. Saha, ‘‘TrojanDetector:
A multi-layer hybrid approach for trojan detection in Android applica-
tions,’’ Appl. Sci., vol. 12, no. 21, p. 10755, Oct. 2022.
[78] B. A. Mantoo and S. S. Khurana, ‘‘Static, dynamic and intrinsic features
based Android malware detection using machine learning,’’ in Proceedings
of ICRIC, P. K. Singh, A. K. Kar, Y. Singh, M. H. Kolekar, and S. Tanwar,
Eds., Cham, Switzerland: Springer, 2020, pp. 31–45.
[79] V. Kouliaridis, G. Kambourakis, D. Geneiatakis, and N. Potha, ‘‘Two
anatomists are better than one—Dual-level Android malware detection,’’
Symmetry, vol. 12, no. 7, p. 1128, Jul. 2020. [Online]. Available:
https://www.mdpi.com/2073-8994/12/7/1128
[80] F. Yang, Y. Zhuang, and J. Wang, ‘‘Android malware detection using
hybrid analysis and machine learning technique,’’ in Proc. Int. Conf. Cloud
Comput. Secur., Jun. 2017, pp. 565–575.
[81] İ. Atacak, K. Kılıç, and İ. A. Doğru, ‘‘Android malware detection using
hybrid ANFIS architecture with low computational cost convolutional
layers,’’ PeerJ Comput. Sci., vol. 8, p. e1092, Sep. 2022.
[82] P. Xu, C. Eckert, and A. Zarras, ‘‘hybrid-Falcon: Hybrid pattern malware
detection and categorization with network traffic and program code,’’ 2021,
arXiv:2112.10035.
[83] R. Srinivasan, S. Karpagam, M. Kavitha, and R. Kavitha, ‘‘An analysis
of machine learning-based Android malware detection approaches,’’
J. Phys., Conf. Ser., vol. 2325, no. 1, Aug. 2022, Art. no. 012058.
[84] K. Sai, N. Navya, T. Sreya, and S. Ali, ‘‘Android malware detection
using genetic algorithm based optimized feature selection and machine
learning,’’ Int. J. Recent Develop. Sci. Technol., vol. 7, no. 2, pp. 60–72,
2023.
[85] S. Venkatraman and M. Alazab, ‘‘Use of data visualisation for zero-
day malware detection,’’ Secur. Commun. Netw., vol. 2018, pp. 1–13,
Dec. 2018.
[86] N. Z. Gorment, A. Selamat, L. K. Cheng, and O. Krejcar, ‘‘Machine
learning algorithm for malware detection: Taxonomy, current challenges
and future directions,’’ IEEE Access, vol. 11, pp. 141045–141089,
2023.
[87] S. Ramachandran, A. Dimitri, M. Galinium, M. Tahir, I. V. Ananth,
C. H. Schunck, and M. Talamo, ‘‘Understanding and granting Android
permissions: A user survey,’’ in Proc. Int. Carnahan Conf. Secur. Technol.
(ICCST), Oct. 2017, pp. 1–6.
[88] A. Pathak. Exploring Android Intents. Accessed: Mar. 8, 2024. [Online].
Available: https://medium.com/@myofficework000/intents-in-android-
713da59ee700
[89] M. W. Afridi, T. Ali, T. Alghamdi, T. Ali, and M. Yasar, ‘‘Android
application behavioral analysis through intent monitoring,’’ in Proc. 6th
Int. Symp. Digit. Forensic Secur. (ISDFS), Mar. 2018, pp. 1–8.
[90] K. Efimov and R. Onitza-Klugman. Exploring Intent-Based Android
Security Vulnerabilities on Google Play. Accessed: Dec. 8, 2023.
[Online]. Available: https://snyk.io/blog/exploring-android-intent-based-
security-vulnerabilities-google-play/
[91] Intents and Intent Filters. Accessed: Feb. 2024. [Online]. Available:
https://stuff.mit.edu/afs/sipb/project/android/docs/guide/components/
intents-filters.html
[92] W. Wang, M. Zhao, Z. Gao, G. Xu, H. Xian, Y. Li, and X.
Zhang, ‘‘Constructing features for detecting Android malicious appli-
cations: Issues, taxonomy and directions,’’ IEEE Access, vol. 7,
pp. 67602–67631, 2019.
[93] J. Fernando. (Oct. 2016). What is an API? How to Call an API From
Android? Accessed: Feb. 2024. [Online]. Available: https://droidmentor.
com/api-call-api-android/
[94] P. Papaioannou. How Malicious Applications Abuse Android Permis-
sions. Accessed: Dec. 8, 2023. [Online]. Available: https://blog.nviso.
eu/2021/09/01/how-malicious-applications-abuse-android-permissions/
VOLUME 12, 2024
S. J. Altaha et al.: Survey on Android Malware Detection Techniques Using Supervised ML
[95] V. Kabade, R. Hooda, C. Raj, Z. Awan, A. S. Young, M. S. Welgampola,
and M. Prasad, ‘‘Machine learning techniques for differential diagnosis
of vertigo and dizziness: A review,’’ Sensors, vol. 21, no. 22, p. 7565,
Nov. 2021.
[96] Zach. Decision Tree vs. Random Forests: What’s the Difference?
Accessed: Nov. 29, 2023. [Online]. Available: https://www.statology.org/
decision-tree-vs-random-forest/
[97] A. Fatima, R. Maurya, M. K. Dutta, R. Burget, and J. Masek, ‘‘Android
malware detection using genetic algorithm based optimized feature
selection and machine learning,’’ in Proc. 42nd Int. Conf. Telecommun.
Signal Process. (TSP), Budapest, Hungary, 2019, pp. 220–223.
[98] S. Kayode, ‘‘Navigating regulatory and legal challenges in AI and
ML-powered cybersecurity: A comprehensive analysis,’’ Tech. Rep., 2023.
[99] Q. Wu, X. Zhu, and B. Liu, ‘‘A survey of Android malware static detection
technology based on machine learning,’’ Mobile Inf. Syst., vol. 2021,
pp. 1–18, Mar. 2021.
[100] F. I. Abro, M. Rajarajan, T. M. Chen, and Y. Rahulamathavan, ‘‘Android
application collusion demystified,’’ in Proc. Int. Conf. Future Netw. Syst.
Secur. Gainesville, FL, USA: Springer, 2017, pp. 176–187.
SAFA J. ALTAHA received the bachelor’s degree in computer science and
information technology, in 2019. She is currently pursuing the master’s
degree in cybersecurity with King Faisal University. She has a strong interest
in various areas, including machine learning, digital forensics, cybersecurity,
and business continuity. In addition to her studies, she works as a Business
Continuity Analyst, where she applies her knowledge and skills to ensure the
resilience and security of organizations in the face of cyber threats. Her role
involves implementing strategies and measures to protect critical business
operations and data. Prior to her role as a Business Continuity Analyst,
she was a Cybersecurity Analyst, ensuring compliance to international
cybersecurity standards within her organization.
VOLUME 12, 2024
AHMED ALJUGHAIMAN received the B.S. degree in computer and
information technology, specializing in computer networks and information
security, from Indiana University–Purdue University Indianapolis, in 2011,
the master’s degree in network security from DePaul University, in 2013, the
master’s degree in information assurance from the University of Colorado at
Colorado Springs, in 2019, and the Ph.D. degree in security engineering from
the University of Colorado at Colorado Springs, in 2021. He is currently an
Assistant Professor with the College of Computer Sciences and Information
Technology, King Faisal University, Saudi Arabia. His research interests
include underwater wireless sensor networks, underwater communications,
software-defined networks, cybersecurity, computer networks, terrestrial
wireless sensor networks, network protocols, network security, the Internet
of Things, blockchain, and unmanned aerial vehicles.
SONIA GUL is a dedicated Educator and a Scholar with more than 15 years
of expertise at prestigious educational establishments in Saudi Arabia,
New Zealand, and Asia, instructing pupils from diverse social and cultural
contexts. Her teaching and research expertise lies in the practical aspects
of computer networks, telecommunications, wireless communications,
emergency communications, software engineering, data structures and algo-
rithms, project management, information and communication technology
(ICT), and operating systems. She possesses strong communication skills
and employs effective teaching and research methods to create an engaging
learning environment. Her capability to function in a managerial capacity or
as a member of teaching and research teams demonstrates a track record of
effectively meeting timelines and successful project closures.
173191