IoT malware analysis suffers from the lack of systematic evaluation across diverse feature extraction methodologies. This paper presents the first comprehensive comparative study of static, dynamic, and hybrid multi-dimensional feature extraction techniques for IoT malware, while introducing graph learning—particularly Graph Neural Networks (GNNs)—as a novel feature representation paradigm. Through systematic literature review and empirical evaluation, we rigorously assess these methods along key dimensions including accuracy, scalability, and robustness, identifying critical deployment bottlenecks such as firmware heterogeneity, sandbox evasion, and structural bias in graph modeling. Our analysis yields a reusable, evidence-based methodological guide for IoT security researchers. Moreover, it identifies promising future directions, including fine-grained behavioral modeling via graph learning and cross-architecture feature transfer. By establishing standardized evaluation criteria and benchmarking insights, this work fills a longstanding gap in systematic, reproducible assessment of IoT malware feature engineering.

As IoT devices continue to proliferate, their reliability is increasingly constrained by security concerns. In response, researchers have developed diverse malware analysis techniques to detect and classify IoT malware. These techniques typically rely on extracting features at different levels from IoT applications, giving rise to a wide range of feature extraction methods. However, current approaches still face significant challenges when applied in practice. This survey provides a comprehensive review of feature extraction techniques for IoT malware analysis from multiple perspectives. We first examine static and dynamic feature extraction methods, followed by hybrid approaches. We then explore feature representation strategies based on graph learning. Finally, we compare the strengths and limitations of existing techniques, highlight open challenges, and outline promising directions for future research.