Ransomware Detection on Android: Performance and Energy

Download PDF

ICLR 2026 Conference Submission22306 Authors

20 Sept 2025 (modified: 08 Oct 2025)ICLR 2026 Conference SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: Ransomware, Android, Cybersecurity, Machine Learning, RAPIDS
TL;DR: This paper uses network traffic and lightweight/classic classifiers to detect Android ransomware, achieving high accuracy and efficiency, suitable for both cloud GPUs and resource-limited edge devices.
Abstract: The growth of the Android ecosystem has amplified the impact of mobile ransomware variants and exposed the limitations of traditional signature-based solutions. Network traffic analysis presents a promising data source for detection, but it introduces new challenges, as ransomware often disguises malicious communication patterns within standard app behavior. Traditional detection mechanisms, which rely on static signatures or handcrafted rules, struggle to counter modern Android ransomware that employs obfuscation and event-driven triggers. This limitation is particularly significant for devices with limited computational resources, where lightweight yet accurate detection is paramount. This paper proposes a pipeline that uses a network traffic dataset to extract relevant features, compares classic and hybrid classifiers (RF, SVM, XGBoost, and lightweight architectures), quantifies cost and energy efficiency on CPU versus GPU. The methodology employs a stratified training/validation/test split (70/15/15), vectorization, grid search with cross-validation, and a set of technical metrics including Accuracy, Recall, F1-Score, and ROC AUC. Experiments demonstrate that the proposed models outperform baselines reported in the literature, yielding improved metric values even under adversarial scenarios. The pipeline also strikes a balance between computational cost and energy efficiency, underscoring the models' cost-effectiveness for different environments: while GPUs accelerate training in the cloud, lightweight models remain competitive for edge deployment. Together, these findings confirm the feasibility of combining high detection accuracy with practical considerations, creating powerful and deployable models to detect ransomware on Android.
Primary Area: other topics in machine learning (i.e., none of the above)
Submission Number: 22306