Abstract
Android ransomware has emerged as a major threat to mobile ecosystems, leveraging obfuscated payloads and dynamic command-and-control channels to evade conventional detection systems. Existing approaches often rely on static, batch-trained models that lack adaptability to evolving threat behaviors, resulting in degraded accuracy over time due to concept drift. This presents a critical challenge for real-time deployment, as new ransomware variants continually mutate their signatures and alter network traffic patterns to evade detection. To bridge this gap, this study proposes a robust ensemble-based machine learning framework for proactive detection of Android ransomware using network traffic metadata. The framework integrates advanced classifiers, including Light Gradient Boosting Machine, eXtreme Gradient Boosting Machine, and Random Forest, with Synthetic Minority Oversampling Technique enhanced stratified cross-validation to mitigate class imbalance and improve generalizability. Furthermore, explainable artificial intelligence methods such as SHapley Additive exPlanations and Local Interpretable Model-Agnostic Explanations are employed to enhance interpretability and analyst trust. In the context of ransomware detection, the importance of online learning lies in its ability to adapt to evolving threat patterns in real time. Ransomware frequently mutates payload signatures and obfuscates behavioral traces, causing traditional models to deteriorate under changing data distributions. To address this, we conducted a concept drift evaluation using an incremental LightGBM model, tested on chronologically partitioned traffic data across five temporal blocks. This approach enables continuous adaptation to new data streams without requiring full retraining, thereby maintaining detection robustness and reducing false negatives in production. Experimental results on a balanced dataset demonstrate that LightGBM achieves the highest classification performance, indicating the efficacy and adaptability of the proposed framework for real-time Android ransomware mitigation in dynamic network environments.
Data availability
The datasets analyzed during the current study are available in the IEEE DataPort and Kaggle repository at https: //dx.doi.org/10.21227/d744-tb96 and https://doi.org/10.34740/KAGGLE/DSV/4987535
References
Qureshi, S. U. et al. Systematic review of deep learning solutions for malware detection and forensic analysis in iot. J. King Saud Univ. Comput. Inf. Sci. 36, 102164. https://doi.org/10.1016/j.jksuci.2024.102164 (2024).
Aslan, Ö., Aktug, S. S., Ozkan-Okay, M., Yilmaz, A. A. & Akin, E. A comprehensive review of cyber security vulnerabilities, threats, attacks, and solutions. Electronics12, 8576. https://doi.org/10.3390/electronics12061333 (2023).
Begovic, K., Al-Ali, A. & Malluhi, Q. Cryptographic ransomware encryption detection: survey. Comput. Secur. 132, 103349. https://doi.org/10.1016/j.cose.2023.103349 (2023).
Muhammad, Z. et al. Smartphone security and privacy: a survey on apts, sensor-based attacks, side-channel attacks, google play attacks, and defenses. Technologies11, 74523. https://doi.org/10.3390/technologies11030076 (2023).
Ferdous, J., Islam, R., Mahboubi, A. & Islam, M. Z. A survey on ml techniques for multi-platform malware detection: Securing pc, mobile devices, iot, and cloud environments. Sensors25, 8596. https://doi.org/10.3390/s25041153 (2025).
Razgallah, A., Khoury, R., Hallé, S. & Khanmohammadi, K. A survey of malware detection in android apps: recommendations and perspectives for future research. Comput. Sci. Rev. 39, 100358. https://doi.org/10.1016/j.cosrev.2020.100358 (2021).
Hossain, M. A. et al. Towards superior android ransomware detection: an ensemble machine learning perspective. Cyber Secur. Appl. 3, 100076. https://doi.org/10.1016/j.csa.2024.100076 (2025).
Yan, P. & Talaei Khoei, T. Securing the internet of things: a comprehensive review of ransomware attacks, detection, countermeasures, and future prospects. Franklin Open 11, 100256. https://doi.org/10.1016/j.fraope.2025.100256 (2025).
Albshaier, L., Almarri, S. & Rahman, M. M. H. Earlier decision on detection of ransomware identification: A comprehensive systematic literature review. Information 15, 748. https://doi.org/10.3390/info15080484 (2024).
Al-Kadhimi, A. A., Singh, M. M. & Khalid, M. N. A. A systematic literature review and a conceptual framework proposition for advanced persistent threats (apt) detection for mobile devices using artificial intelligence techniques. Appl. Sci. 13, 85963. https://doi.org/10.3390/app13148056 (2023).
Alraizza, A. & Algarni, A. Ransomware detection using machine learning: a survey. Big Data Cogn. Comput. 7, 8596. https://doi.org/10.3390/bdcc7030143 (2023).
Almotiri, S. H. Ai driven iomt security framework for advanced malware and ransomware detection in sdn. J. Cloud Comput. 14, 19. https://doi.org/10.1186/s13677-025-00745-w (2025).
Joshi, Y. S., Mahajan, H., Joshi, S. N., Gupta, K. P. & Agarkar, A. A. Signature-less ransomware detection and mitigation. J. Comput. Virol. Hack. Tech. 17, 299–306. https://doi.org/10.1007/s11416-021-00384-0 (2021).
Mohamed, N. Artificial intelligence and machine learning in cybersecurity: a deep dive into state-of-the-art techniques and future paradigms. Knowl. Inf. Syst. https://doi.org/10.1007/s10115-025-02429-y (2025).
Lu, H. et al. Autod: Intelligent blockchain application unpacking based on jni layer deception call. IEEE Netw. 35, 215–221. https://doi.org/10.1109/MNET.011.2000467 (2021).
Lu, H. et al. Deepautod: research on distributed machine learning oriented scalable mobile communication security unpacking system. IEEE Trans. Netw. Sci. Eng. 9, 2052–2065. https://doi.org/10.1109/TNSE.2021.3100750 (2022).
Amer, E. & El-Sappagh, S. Robust deep learning early alarm prediction model based on the behavioural smell for android malware. Comput. Secur. 116, 102670. https://doi.org/10.1016/j.cose.2022.102670 (2022).
Hull, G., John, H. & Arief, B. Ransomware deployment methods and analysis: views from a predictive model and human responses. Crime Sci. 8, 2. https://doi.org/10.1186/s40163-019-0097-9 (2019).
Guerra-Manzanares, A., Luckner, M. & Bahsi, H. Concept drift and cross-device behavior: challenges and implications for effective android malware detection. Comput. Secur. 120, 102757. https://doi.org/10.1016/j.cose.2022.102757 (2022).
Almohaini, R., Almomani, I. & AlKhayer, A. Hybrid-based analysis impact on ransomware detection for android systems. Appl. Sci. 11, 4853. https://doi.org/10.3390/app112210976 (2021).
Gu, J., Zhu, H., Han, Z., Li, X. & Zhao, J. Gsedroid: Gnn-based android malware detection framework using lightweight semantic embedding. Comput. Secur. 140, 103807. https://doi.org/10.1016/j.cose.2024.103807 (2024).
Hsu, R.-H. et al. A privacy-preserving federated learning system for android malware detection based on edge computing. In 2020 15th Asia Joint Conference on Information Security (AsiaJCIS) 128–136 (2020). https://doi.org/10.1109/AsiaJCIS50894.2020.00031.
Karat, G. et al. Cnn-lstm hybrid model for enhanced malware analysis and detection. Procedia Comput. Sci. 233, 492–503. https://doi.org/10.1016/j.procs.2024.03.239 (2024).
Muzaffar, A., Ragab Hassen, H., Lones, M. A. & Zantout, H. An in-depth review of machine learning based android malware detection. Comput. Secur. 121, 102833. https://doi.org/10.1016/j.cose.2022.102833 (2022).
Meijin, L. et al. A systematic overview of android malware detection. Appl. Artif. Intell. 36, 2007327. https://doi.org/10.1080/08839514.2021.2007327 (2022).
Mawoh, R. Y., Wacka, J. B. A., Tchakounte, F., Fachkha, C. & Kolyang. An accurate approach to discriminate android colluded malware from single app malware using permissions intelligence. Sci. Rep. 15, 10680. https://doi.org/10.1038/s41598-025-86568-w (2025).
Lu, T., Du, Y., Ouyang, L., Chen, Q. & Wang, X. Android malware detection based on a hybrid deep learning model. Secur. Commun. Netw. 2020, 8863617. https://doi.org/10.1155/2020/8863617 (2020).
Ajayan, A., Kirubavathi, G. & Sarker, I. H. Distilxids: efficient, lightweight and explainable transformer-based language model for real-time network intrusion detection. Neurocomputing 668, 132398. https://doi.org/10.1016/j.neucom.2025.132398 (2026).
Sarker, I. H., Janicke, H., Mohsin, A., Gill, A. & Maglaras, L. Explainable ai for cybersecurity automation, intelligence and trustworthiness in digital twin: methods, taxonomy, challenges and prospects. ICT Express 10, 935–958. https://doi.org/10.1016/j.icte.2024.05.007 (2024).
Qi, P., Chiaro, D. & Piccialli, F. Small models, big impact: a review on the power of lightweight federated learning. Futur. Gener. Comput. Syst. 162, 107484. https://doi.org/10.1016/j.future.2024.107484 (2025).
Ispahany, J., Islam, M. R., Islam, M. Z. & Khan, M. A. Ransomware detection using machine learning: a review, research limitations and future directions. IEEE Access 12, 68785–68813. https://doi.org/10.1109/ACCESS.2024.3397921 (2024).
Hasan, R. et al. Enhancing malware detection with feature selection and scaling techniques using machine learning models. Sci. Rep. 15, 9122. https://doi.org/10.1038/s41598-025-93447-x (2025).
Albin Ahmed, A. et al. Android ransomware detection using supervised machine learning techniques based on traffic analysis. Sensors24, 596. https://doi.org/10.3390/s24010189 (2024).
Amenova, S., Turan, C. & Zharkynbek, D. Android malware classification by cnn-lstm. In 2022 International Conference on Smart Information Systems and Technologies (SIST) 1–4 (IEEE, 2022). https://doi.org/10.1109/SIST54437.2022.9945816.
Islam, R., Sayed, M. I., Saha, S., Hossain, M. J. & Masud, M. A. Android malware classification using optimum feature selection and ensemble machine learning. Internet Things Cyber-Phys. Syst. 3, 100–111. https://doi.org/10.1016/j.iotcps.2023.03.001 (2023).
Adeniyi, A. O., Olabiyisi, S. O., Adepoju, T. M. & Sanusi, B. A. Comparative analysis of some machine learning algorithms for the classification of ransomware. Int. J. Res. Sci. Innov. 12, 10256. https://doi.org/10.51244/IJRSI.2025.120800045 (2025).
Prasad, A. Permguard android malware dataset. https://doi.org/10.1109/ACCESS.2024.3523629 (2024).
Chakraborty, S. Android ransomware detection. https://doi.org/10.34740/KAGGLE/DSV/4987535 (2023).
Author information
Authors and Affiliations
Contributions
Kirubavathi G.: Conceptualization, Data curation, Methodology, Supervision, Writing-original draft, Writing-review & editing. Padma Mayuri B.: Methodology, Data curation, Feature engineering, Writing-original draft. Pranathasree S.: Methodology, Software, Model development. Rajeswari Alagappan: Methodology, Software, implementation. Amal Ajayan: Software, Writing-original draft, Writing-review & editing. Waleed M. Ismael: Investigation, Experimental design, Writing-review & editing. Ateeq Ur Rehman: Supervision, Project administration, Result interpretation, Writing-review & editing. All authors have read and approved the final manuscript.
Corresponding authors
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.
About this article
Cite this article
Kirubavathi, G., Padma Mayuri, B., Pranathasree, S. et al. Ensemble machine learning for proactive android ransomware detection using network traffic. Sci Rep (2026). https://doi.org/10.1038/s41598-026-38271-7
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s41598-026-38271-7
