Android Feature Selection based on Permissions, Intents, and API Calls

Android is a platform that hosts roughly 99% of known mobile malware to date and is thus the focus of much research efforts in mobile malware detection. One of the main tools used in this effort is supervised machine learning. While a decade of work has made a lot of progress in detection accuracy, there is an obstacle that each stream of research is forced to overcome, feature selection, i.e., determining which attributes of Android are most effective as inputs into machine learning models. This research tackles the feature selection problem by providing the community with an exhaustive analysis of the three primary types of Android features used by researchers: Permissions, Intents and API Calls. We applied a wide spectrum of feature selection techniques including eleven different algorithms which consisted of filter methods, wrapper methods and embedded methods. Results were evaluated with three different supervised learning classifiers, Random Forest, Support Vector Machine and Neural Network, on a dataset with over 119K Android apps and over 400 features. The results showed that using a combination of Permissions, Intents and API Calls produced higher accuracy than using any of those alone or in any other combination. The results also showed that feature selection should be performed on the combined dataset, not by feature type and then combined and that the negative effects of not doing so are more pronounced the larger the feature set.