Android ransomware has emerged as a major threat to mobile ecosystems, leveraging obfuscated payloads and dynamic command-and-control channels to evade conventional detection systems. Existing approaches often rely on static, batch-trained models that lack adaptability to evolving threat behaviors, resulting in degraded accuracy over time due to concept drift. This presents a critical challenge for real-time deployment, as new ransomware variants continually mutate their signatures and alter network traffic patterns to evade detection. To bridge this gap, this study proposes a robust ensemble-based machine learning framework for proactive detection of Android ransomware using network traffic metadata. The framework integrates advanced classifiers, including Light Gradient Boosting Machine, eXtreme Gradient Boosting Machine, and Random Forest, with Synthetic Minority Oversampling Technique enhanced stratified cross-validation to mitigate class imbalance and improve generalizability. Furthermore, explainable artificial intelligence methods such as SHapley Additive exPlanations and Local Interpretable Model-Agnostic Explanations are employed to enhance interpretability and analyst trust. In the context of ransomware detection, the importance of online learning lies in its ability to adapt to evolving threat patterns in real time. Ransomware frequently mutates payload signatures and obfuscates behavioral traces, causing traditional models to deteriorate under changing data distributions. To address this, we conducted a concept drift evaluation using an incremental LightGBM model, tested on chronologically partitioned traffic data across five temporal blocks. This approach enables continuous adaptation to new data streams without requiring full retraining, thereby maintaining detection robustness and reducing false negatives in production. Experimental results on a balanced dataset demonstrate that LightGBM achieves the highest classification performance, indicating the efficacy and adaptability of the proposed framework for real-time Android ransomware mitigation in dynamic network environments.
Kirubavathi et al. (Wed,) studied this question.