# Efficient feature ranked hybrid framework for android Iot malware detection

**Authors:** Nahla Hafez Saeed, Alyaa A. Hamza, Mohamed A. Sobh, Ayman M. Bahaa-Eldin

PMC · DOI: 10.1038/s41598-026-35238-6 · 2026-01-27

## TL;DR

This paper introduces a hybrid framework for detecting Android IoT malware using feature ranking and a Random Forest classifier, achieving high accuracy and interpretability.

## Contribution

A novel dual feature-ranking mechanism combining Information Gain and Gini Index for efficient and accurate Android IoT malware detection.

## Key findings

- The framework achieved accuracy between 99.03% and 100% across four benchmark datasets.
- Cross-validation experiments confirmed the model's stability and generalizability.
- Interpretability analysis identified key behavioral and static features influencing classification.

## Abstract

Android-based IoT devices are still exposed to increasing sophistication in malware; therefore, detecting this malware using lightweight and accurate approaches is very important. This paper presents a hybrid malware detection framework, incorporating static and dynamic analysis with a dual feature-ranking mechanism based on Information Gain and Gini Index, for selecting the most relevant features. The framework uses a Random Forest classifier optimized via systematic hyperparameter tuning and is evaluated on four benchmark datasets: Drebin, CCCS-CIC-AndMal-2020, TUANDROMD, and CIMD-2024. It showed very consistent performance across all four datasets, yielding accuracy in the range of 99.03% to 100% with corresponding F1-scores in the range of 0.98 to 1.00. On the contrary, the highly imbalanced nature of the CIMD-2024 dataset essentially requires imbalance-handling strategies to effectively detect both majority and minority classes. Experiments on cross-validation confirm the model’s stability and generalizability, while the interpretability analysis pinpoints the most influential behavioral and static features that drive such classification. The results ensured that the proposed approach provided an efficient, interpretable, and resource-friendly solution for malware detection within Android-IoT environments.

## Full-text entities

- **Diseases:** IoT (MESH:C000719207), SMS (MESH:D058496), botnet attacks (MESH:D009203)
- **Chemicals:** API (-), oxygen (MESH:D010100), Android (MESH:D008777)
- **Species:** Homo sapiens (human, species) [taxon 9606]

## Figures

23 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12852859/full.md

---
Source: https://tomesphere.com/paper/PMC12852859