Citation: Wang, X.; Zhang, L.;
Zhao, K.; Ding, X.; Yu, M. MFDroid:
A Stacking Ensemble Learning
Framework for Android Malware
Detection. Sensors 2022, 22, 2597.
https://doi.org/10.3390/s22072597
Academic Editors: Alexios Mylonas
and Nikolaos Pitropakis
Received: 14 February 2022
Accepted: 21 March 2022
Published: 28 March 2022
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2022 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Article
MFDroid: A Stacking Ensemble Learning Framework for
Android Malware Detection
Xusheng Wang
1
, Linlin Zhang
2,
*, Kai Zhao
1
, Xuhui Ding
1
and Mingming Yu
2
1
School of Cyber Science and Engineering, College of Information Science and Engineering, Xinjiang
University, Urumqi 830046, China; wang_xs98@foxmail.com (X.W.); zhaokk@xju.edu.cn (K.Z.);
xhding2021@163.com (X.D.)
2
School of Software, Xinjiang University, Urumqi 830046, China; yumm0408@foxmail.com
* Correspondence: zllnadasha@xju.edu.cn
Abstract:
As Android is a popular a mobile operating system, Android malware is on the rise,
which poses a great threat to user privacy and security. Considering the poor detection effects
of the single feature selection algorithm and the low detection efficiency of traditional machine
learning methods, we propose an Android malware detection framework based on stacking ensemble
learning—MFDroid—to identify Android malware. In this paper, we used seven feature selection
algorithms to select permissions, API calls, and opcodes, and then merged the results of each feature
selection algorithm to obtain a new feature set. Subsequently, we used this to train the base learner,
and set the logical regression as a meta-classifier, to learn the implicit information from the output
of base learners and obtain the classification results. After the evaluation, the F1-score of MFDroid
reached 96.0%. Finally, we analyzed each type of feature to identify the differences between malicious
and benign applications. At the end of this paper, we present some general conclusions. In recent
years, malicious applications and benign applications have been similar in terms of permission
requests. In other words, the model of training, only with permission, can no longer effectively or
efficiently distinguish malicious applications from benign applications.
Keywords:
Android malware; ensemble learning; machine learning; static analysis; feature selection
1. Introduction
Android is the mobile operating system with the highest market share in the world.
As of December 2021, the market share of Android was as high as 70% [
1
]. As the number
of Android users has risen in recent years, malware, such as financial losses and privacy
disclosure, have become more common. In many Asian countries, the risk of being infected
with malware is much higher. There are many app stores provided by various third-party
vendors and many smartphones have been rooted. There are about 1.61 billion active
mobile devices in China, of which, about 78.6% run Android as the operating system [
2
].
Therefore, from the perspective of Android information security, it is necessary to research
malware detection technology and improve detection performance.
At present, there are two mainstream malware detection methods, static detection and
dynamic detection [
3
,
4
]. The techniques involved in static detection include decompilation,
reverse analysis, and static system call analysis. Static analysis does not need to run the
application, it uses decompilation tools to perform lexical analysis, semantic analysis, etc.,
on the static code to extract features. APK files contain many features, such as permissions,
API calls, signatures, network addresses, and hardware structures. All features can be used
as a basis for judging whether an Android application is malicious. Another detection
technique is dynamic detection, which places the application in a sandbox isolated from
the outside world and observes the behavior of the application. Dynamic analysis involves
analyzing the behavior characteristics of the application without disturbing the external
software and hardware environment. If the behavior of the application is found to be
Sensors 2022, 22, 2597. https://doi.org/10.3390/s22072597 https://www.mdpi.com/journal/sensors
