Ransomware attacks on Android devices often go undetected until damage occurs, as prevention strategies are limited by inconsistent threat detection and classification. This paper presents a framework for evaluating machine learning models to detect and classify Android ransomware families through network behavioral analysis. The framework extracts discriminative features from network traffic data and segregates them into four optimal clusters using the k-means clustering method. A total of 84 critical network traffic features are identified, including source IP, destination IP, source port, destination port, traffic duration, and the total number of forward and reverse packets. These optimal features are effectively utilized to train well-known machine learning models, including decision trees (DT), random forest (RF), K-nearest neighbors (KNN), support vector machines (SVM), and bagging, to evaluate their accuracy in classifying ransomware families. Simulation results demonstrate that RF achieves the best performance with an accuracy of 95.18%, precision of 95.21%, recall of 95.27%, and F1-score of 95.19%. This framework, focused on network behavioral analysis rather than static or dynamic analysis, provides deeper insights into the behavior and characteristics of ransomware.

Android ransomware; Classification; Detection; Dimensionality reduction; Machine learning models; Network behavioral analysis; Ransomware families