We report the findings of a reimplementation of 18 foundational studies in feature-based machine learning for Android malware detection, published during the period 2013-2023. These studies are reevaluated on a level playing field using a contemporary Android environment and a balanced dataset of 124,000 applications. Our findings show that feature-based approaches can still achieve detection accuracies beyond 98%, despite a considerable increase in the size of the underlying Android feature sets. We observe that features derived through dynamic analysis yield only a small benefit over those derived from static analysis, and that simpler models often out-perform more complex models. We also find that API calls and opcodes are the most productive static features within our evaluation context, network traffic is the most predictive dynamic feature, and that ensemble models provide an efficient means of combining models trained on static and dynamic features. Together, these findings suggest that simple, fast machine learning approaches can still be an effective basis for malware detection, despite the increasing focus on slower, more expensive machine learning models in the literature.

翻译：我们报告了对2013年至2023年间发表的18项基于特征的机器学习用于安卓恶意软件检测的基础性研究的重新实现结果。这些研究在公平的竞争环境下，使用当代安卓环境和包含124,000个应用程序的平衡数据集进行了重新评估。我们的研究结果表明，尽管底层安卓特征集的规模显著增加，基于特征的方法仍能达到超过98%的检测准确率。我们观察到，通过动态分析得到的特征相较于静态分析得到的特征仅带来微小的优势，且更简单的模型往往优于更复杂的模型。我们还发现，在我们的评估背景下，API调用和操作码是最具生产力的静态特征，网络流量是最具预测性的动态特征，而集成模型提供了一种有效结合静态和动态特征训练模型的方法。综上所述，这些发现表明，尽管文献中越来越关注速度较慢、成本较高的机器学习模型，但简单、快速的机器学习方法仍可作为恶意软件检测的有效基础。