Android malware exploits platform openness to compromise IoT security, causing data breaches and service disruptions. This paper conducts a systematic literature review to comprehensively categorize and evaluate four classes of feature extraction techniques—static, dynamic, hybrid, and graph neural network-based—within a feature-centric evaluation framework. The framework explicitly assesses trade-offs among computational efficiency, obfuscation resilience, and resource overhead. Identifying critical gaps in scalability and contextual adaptability under IoT constraints—namely, stringent latency, memory, and energy budgets—the study proposes design principles and a development roadmap for edge-deployable lightweight features. It bridges a key research gap in co-optimizing feature engineering and hardware resource constraints for cross-platform Android malware detection. The work thus provides both theoretical foundations and practical guidelines to enhance the deployability, robustness, and long-term security of Android malware detection systems in resource-constrained IoT environments.

Sophisticated malware families exploit the openness of the Android platform to infiltrate IoT networks, enabling large-scale disruption, data exfiltration, and denial-of-service attacks. This systematic literature review (SLR) examines cutting-edge approaches to Android malware analysis with direct implications for securing IoT infrastructures. We analyze feature extraction techniques across static, dynamic, hybrid, and graph-based methods, highlighting their trade-offs: static analysis offers efficiency but is easily evaded through obfuscation; dynamic analysis provides stronger resistance to evasive behaviors but incurs high computational costs, often unsuitable for lightweight IoT devices; hybrid approaches balance accuracy with resource considerations; and graph-based methods deliver superior semantic modeling and adversarial robustness. This survey contributes a structured comparison of existing methods, exposes research gaps, and outlines a roadmap for future directions to enhance scalability, adaptability, and long-term security in IoT-driven Android malware detection.