All reviews of published articles are made public. This includes manuscript files, peer review comments, author rebuttals and revised materials. Note: This was optional for articles submitted before 13 February 2023.
Peer reviewers are encouraged (but not required) to provide their names to the authors when submitting their peer review. If they agree to provide their name, then their personal profile page will reflect a public acknowledgment that they performed a review (even if the article is rejected). If the article is accepted, then reviewers who provided their name will be associated with the article itself.
The reviewers appreciated the effort spent in the revision and do not have further critical comments on the paper. The paper is thus ready for publication in this current form. When preparing the final version of the paper, please consider addressing the suggestions proposed by Reviewer 2 to improve the paper presentation.
[# PeerJ Staff Note - this decision was reviewed and approved by Sedat Akleylek, a PeerJ Section Editor covering this Section #]
**PeerJ Staff Note:** Although the Academic and Section Editors are happy to accept your article as being scientifically sound, a final check of the manuscript shows that it would benefit from further editing. Therefore, please identify necessary edits and address these while in proof stage.
-
-
-
All comments provided within this section from the previous peer review have been comprehensively addressed. This survey paper is within the scope of the PeerJ Computer Science journal, clearly introduces the subject area, and provides a comparison to other similar reviews.
I appreciate the clarification on the Malware trends between 1900-1999. To further increase this clarity for readers in the future, the authors may wish to remove the word “Android” within the first paragraph and heading of section 4.2.1 (Lines 249-253).
-
One additional comment, which relates to Figure 7, where there is a potential typo for one of the regions: “Island”. Other than that, I have no additional suggestions. Overall, the manuscript has significantly improved since the previous version. I appreciate the efforts that the authors have made to enhance the quality of the manuscript.
**PeerJ Staff Note:** It is PeerJ policy that additional references suggested during the peer-review process should only be included if the authors agree that they are relevant and useful.
**PeerJ Staff Note:** Please ensure that all review and editorial comments are addressed in a response letter and that any edits or clarifications mentioned in the letter are also inserted into the revised manuscript where appropriate.
**Language Note:** The review process has identified that the English language must be improved. PeerJ can provide language editing services - please contact us at [email protected] for pricing (be sure to provide your manuscript number and title). Alternatively, you should make your own arrangements to improve the language quality and provide details in your response letter. – PeerJ Staff
The paper presents a well-structured and comprehensive review of Android malware, covering its historical development, behavioral characteristics, taxonomic classifications, and detection strategies. The authors have adopted a systematic literature review (SLR) approach following PRISMA guidelines, which adds methodological rigor to the study. The inclusion of a detailed taxonomy combining fileless and file-based malware types enhances the practical relevance of the work, particularly for researchers developing next-generation defense mechanisms.
The writing is generally clear and professional, and the organization follows a logical progression from introduction through methodology, findings, and conclusion. However, while the paper makes a strong contribution to the field, certain aspects particularly in the literature review, methodology transparency, and integration of emerging technologies require revision to meet the standards expected by high-quality journals like PeerJ Computer Science .
To strengthen the academic contribution and contextual relevance of this review, the authors should consider expanding the literature survey to include more recent studies on hybrid detection models , explainable AI frameworks , and lightweight deep learning architectures tailored for mobile environments. For instance, recent publications have explored how ensemble-based anomaly detection systems can improve robustness and generalizability across diverse Android platforms (see: https://doi.org/10.3233/JIFS-231969 ). Incorporating such references would better situate the current work within the broader landscape of intelligent mobile security solutions.
Additionally, while the SLR methodology is described, it could be further clarified in terms of inclusion/exclusion criteria thresholds , quality assessment procedures , and data extraction protocols . A more transparent explanation of how articles were selected and weighted would increase reproducibility and trust in the conclusions drawn. In particular, the search strings used for databases like Scopus or IEEE Xplore should be explicitly defined, as variations in query formulation can significantly affect coverage and bias (see: https://doi.org/10.1155/2021/8871230 ).
Another critical area for improvement lies in the discussion of malware detection techniques . While traditional static and dynamic analysis methods are well-covered, there is limited mention of deep learning-based feature extraction approaches such as LSTM, CNN, or autoencoders — which have shown promising results in recent years for Android threat detection (for example, see: https://doi.org/10.3233/IDT-230284 ). Expanding this section would not only reflect current trends but also provide readers with a more holistic view of evolving detection paradigms.
Furthermore, the paper would benefit from exploring federated learning strategies for collaborative malware detection across distributed Android devices without compromising user privacy. Emerging research has demonstrated how decentralized learning can support real-time intelligence sharing while maintaining data confidentiality an aspect that aligns closely with the goals of this review (see: 10.32604/cmc.2024.047530).
Several sections of the paper could be improved through better formatting and language editing . There are occasional grammatical issues and inconsistencies in terminology that detract from the overall readability. For example, some figures lack captions or in-text references, reducing their explanatory value. Equations and algorithm descriptions should be properly numbered and referenced for clarity.
Moreover, the flow between sections could be enhanced. Some parts of the methodology and experimental setup contain overlapping content that could be streamlined for better readability. Additionally, the threat-to-validity section is concise but could be expanded slightly to include potential limitations related to publication bias, database selection bias, or time-bound search constraints.
There are also opportunities to enhance the technical depth of certain discussions. For instance, the preprocessing steps are described at a high level, but more detail could be added regarding how normalization and feature engineering specifically contributed to model performance. Similarly, the impact of hyperparameter tuning on model accuracy and false positive rates could be more explicitly addressed.
Suggested Literature to Cite (Indirect Recommendations)
To enhance the theoretical foundation and modern relevance of this work, the authors may consider expanding the literature survey to include recent developments in:
Hybrid detection models that combine unsupervised learning with deep learning techniques for improved generalization,
Explainable AI frameworks that enhance interpretability of malware classification outputs,
Lightweight neural architectures optimized for mobile platforms,
Federated learning-based approaches for collaborative threat intelligence sharing.
Some recent studies that may provide useful references include:
A systematic review on ensemble-based anomaly detection in mobile environments (https://doi.org/10.3233/JIFS-231969 ).
A novel approach using deep autoencoders for Android malware classification (https://doi.org/10.1155/2021/8871230 ).
An investigation into explainable AI for cyber threat detection (https://doi.org/10.3233/IDT-230284 ).
Lightweight deep learning models for edge computing and mobile security (10.32604/cmc.2024.047530).
Real-time behavior monitoring frameworks for Android apps (10.1109/iCoMET48670.2020.9073872).
Comparative analysis of anomaly detection algorithms in mobile device telemetry (DOI: 10.1109/iCoMET48670.2020.9073816).
Including such references would not only enhance the theoretical foundation of the paper but also position the proposed framework within the evolving landscape of intelligent mobile security solutions.
This work is within the scope of the journal. An Android malware taxonomy (https://doi.org/10.1145/3708500) was published earlier this year, which is not highlighted within this work. It may be worthwhile to consider this taxonomy within the context of this work, highlighting the differences between the works.
It is clear what the motivation of the work is and the target audience. However, I feel like the introduction section could flow better. Several paragraphs list attacks and techniques, which can make it hard to follow. One potential way to format the first few paragraphs within the introduction section could be:
- Introduce the Android OS, highlighting its applications.
- Introduction to Android Malware. The first paragraph (Lines 33-37) is good.
- Briefly highlight the risks associated with Android malware. This could potentially be backed up by real-world examples.
Overall, the survey design is comprehensive. However, one concern that I have is the discussion of Android malware features in the 1900s (Section 4.2.2), given that Android did not exist during this time period. Therefore, I would suggest either removing this or clarifying what malware you are discussing during this timeframe.
There were several citation-related issues. First, line 137 mentions a study by Malwarebytes, but it is unclear which study is being referred to. On lines 167 - 170, I am unsure how Ram G. G. et al. [137] and Eman et al. [138] are related works. Furthermore, these references do not match within the References Section. It is not clear how the works discussed in the paragraph from Lines 171-182 are relevant to Android malware.
The conclusion shows how the research questions were addressed. However, the future works section was limited. Further expansion on additional research gaps would substantially improve this work.
Overall, this work is timely and informative. I find the threat to the validity section useful. However, there are a few issues that you may wish to address, in addition to the comments above. These are:
- The section numbering is inconsistent. For example, the first two sections are both Section 1, while the review methodology section is not numbered.
- You may wish to highlight Table 8 within the related works section.
- Within the review methodology section (Lines 200-209), Tables 1-3 are defined multiple times. You may wish to reduce this so that each table is defined within the text once in this section.
- Within the results section (Line 231), it states that the total number of publications is 71. I am assuming that this is a typo, as several publishers already exceed this on their own.
- On line 297, the wrong figure may be cited, as Figure 2 provides an overview of the number of publications each year.
- On line 535, Figure 8 is cited, however, you may have wanted to cite Figure 11 instead.
- Overall, if possible, the figures could be a little clearer, they appear a bit pixelated to me.
- The inclusion of Figure 2 detailing the annual prominence of Android Malware research is excellent. The numbers above each bar are helpful, providing exact details, which can sometimes be difficult to ascertain without them. The readability of the figure could be improved by converting the graph to a 2D graph instead of the 3D version. This would improve readability, ensuring that each bar is easily visible alongside its associated number.
- For Figure 3, it would be helpful to see the sum number at the top of each bar, similar to Figure 2, for each publisher.
- Figure 6 was not clear to me; it could be that the X-axis is incomplete.
- Within Figure 7, there are some conflicting bars. For example, France and Italy are included, but both are part of the European Union, which is also included. Furthermore, to make this graph clearer, it would be worthwhile ensuring that each region is included on the Y axis and placing the labels that are on the bars currently after the bar so that the text is easily readable.
- Figure 9 appears to be a duplicate of Figure 8.
- I would recommend checking the numbers within the tables, to ensure that all required cells are filled and are accurate.
- I found the formatting of Tables 5 and 6 to be challenging to read. You may wish to use acronyms for the malware features, which can be defined in the caption.
- For Table 7, it is not clear why the checkmark is included on certain rows for the following columns: Advanced Malware Type, Platforms Infected, Severity Rate. Furthermore, it is not clear what "H" refers to within the context of the Evolution column.
- I would recommend improving the captions, particularly for the tables.
All text and materials provided via this peer-review history page are made available under a Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.