Permission-Based Android Malware Detection
DOI:
https://doi.org/10.17010/ijcs/2025/v10/i5/175885Keywords:
Android malware detection, Android permissions, feature selection, permission features, malware detection.Publication Chronology: Paper Submission Date : September 3, 2025; Paper sent back for Revision : September 11, 2025; Paper Acceptance Date : September 14, 2025; Paper Published Online : October 5, 2025.
Abstract
Signals based on permissions from the manifest of Android applications serve as a quick and cost-effective means to perform initial screening of potentially harmful apps. In the present paper, we develop a pipeline that relies only on manifest permissions, enhanced with concise engineered summaries (permission counts, grouped permission buckets, and a simple “dangerous permission” score). We compare a set of supervised learning algorithms: Random Forest, XGBoost, Linear Support Vector Machine (calibrated), Bernoulli Naive Bayes, and Logistic Regression. We also implement a three-step feature selection ([variance filter]-> [mutual information ranking]-> [model-based pruning]), then we solve class imbalance problems with controlled oversampling. The best outcomes overall are obtained with tree ensemble models: our random forest strikes a good balance between precision and recall, with an accuracy of 81.6% and an F1 score around 0.859, while XGBoost posts the best ranking metric, a Receiver Operating Characteristic – Area Under the Curve (ROC AUC) of about 0.90. Our error analysis confirms that a large percentage of false positives are benign apps with a lot of privileges, and that the false negatives tend to be sneaky low-permission malware. We provide the components to reproduce the results (the selected feature list, the sanitized feature name map, the trained models and the evaluation scripts) and reflect on how a permission-only filter could be implemented as an early triage in a multi-layered malware detection system.
Downloads
Published
How to Cite
Issue
Section
References
[1] Y. Aafer, W. Du, and H. Yin, “DroidAPIMiner: Mining API-level features for robust malware detection in Android,” in Secur. Privacy Commun. Networks. Lecture Notes of the Inst. Comput. Sciences, Social Informatics Telecommunications Eng., vol. 127, pp. 86–103, 2013, Springer, Cham, doi: 10.1007/978-3-319-04283-1_6.
[2] A. Alkinoon, T. C. Dang, A. Alghuried, A. Alghamdi, S. Choi, M. Mohaisen, A. Wang, S. Salem, and D. Mohaisen, “A comprehensive analysis of evolving permission usage in Android apps: trends, threats, and ecosystem insights,” Aug. 4, 2025, doi: 10.48550/arXiv.2508.02008.
[3] Android Permission Dataset May 29, 2021. Kaggle. [Online]. Available: https://www.kaggle.com/datasets/saurabhshahane/android-permission-dataset
[4] D. Arp, M. Spreitzenbarth, M. Hübner, H. Gascon, and K. Rieck, “Drebin: Effective and explainable detection of Android malware in your pocket,” in Netw. Distrib. System Secur. Symp., 2014, doi: 10.14722/ndss.2014.23247.
[5] I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid: Behavior-based malware detection system for Android,” in Proc. 1st ACM Workshop Secur. Privacy Smartphones Mobile Devices, pp. 15–26, Oct. 2011, doi: 10.1145/2046614.2046619.
[6] W. Enck, P. Gilbert, S. Han, V. Tendulkar, B. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An information-flow tracking system for real-time privacy monitoring on Smartphones,” ACM Trans. Comput. Syst., vol. 32, no. 2, pp. 1–29, 2014, doi: 10.1145/2619091.
[7] A. P. Felt, E. Ha, Chin, S. Egelman, A. Haney, E. Chin, and D. Wagner, “Android permissions demystified,” in Proc. 18th ACM Conf. Comput. Commun. Secur., Chicago, Illinois, USA, 2011, pp. 627–638, doi: 10.1145/2046707.2046779.
[8] A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, D. Wagner, “Android permissions: User attention, comprehension, and behaviour,” in Proc. 8th Symp. Usable Privacy Secur., Art. no. 3, pp. 1–14, doi: 10.1145/2335356.2335360.
[9] J. Garcia, M. Hammad, and S. Malek, “Lightweight, obfuscation-resilient detection and family identification of Android malware,” ACM Trans. Softw. Eng. Methodology, vol. 26, no. 3, pp. 1–29, 2017, doi: 10.1145/3162625.
[10] H. Gascon, F. Yamaguchi, D. Arp, and K. Rieck, “Structural detection of android malware using embedded call graphs,” in AISec '13: Proc. 2013 ACM Workshop Artif. Intell. Secur., doi: 10.1145/2517312.2517315.
[11] A. Guerra-Manzanares, M. Luckner, and H. Bahsi, “Concept drift and cross-device behavior: Challenges and implications for effective android malware detection,” Comput. Secur., 120, 102757, 2022, doi: 10.1016/j.cose.2022.102757.
[12] N. S. Jogsan, “A survey on permission based malware detection in Android applications,” Int. J. Eng. Res. Tehnol., vol. 9, no. 4, Apr. 2020, doi: 10.17577/ijertv9is040774.
[13] Z. Li, J. Sun, Q. Yan, W. Srisa-An, and Y. Tsutano, “Obfusifier: Obfuscation-resistant android malware detection system,” in Secur. Privacy Communication Networks, pp. 214–234, 2019, doi: 10.1007/978-3-030-37228-6_11.
[14] L. Onwuzurike, E. Mariconti, P. Andriotis, E. D. Cristofaro, G. Ross, and G. Stringhini, “MaMaDroid: Detecting Android malware by building Markov chains of behavioral models (Extended Version),” arXiv (Cornell University), 2017, doi: 10.48550/arxiv.1711.07477.
[15] A. Sabbah, R. Jarrar, S. Zein, and D. Mohaisen, “Understanding concept drift with deprecated permissions in Android malware detection,” Jul. 2025, doi: 10.48550/arXiv.2507.22231.
[16] Y. Wang, Y. Wang, S. Wang, Y. Liu, C. Xu, S.-C. Cheung, H. Yu, and Z. Zhu, “Runtime permission issues in Android Apps: Taxonomy, practices, and ways forward,” Jun. 2021, doi: 10.48550/arxiv.2106.13012.
[17] D-J.Wu, C.-H. Mao, T.-E. Wei, H.-M. Lee, and K.-P.Wu, “DroidMat: Android malware detection through manifest and API calls tracing,” in ASIAJCIS '12: Proc. 2012 7th Asia Joint Conf. Inf. Secur., 2012, pp. 62–69, doi: 10.1109/asiajcis.2012.18.20.
