A Perturbation and Symmetry-Based Analysis of Mobile Malware Dynamics in Smartphone Networks

Abstract

In this paper, we present a mathematical model, $M_{siqr}$, to analyze the dynamics of mobile malware propagation in smartphone networks. The model segments the mobile device population into susceptible, exposed, infected, quarantined, and recovered compartments, integrating critical control parameters such as infection and quarantine rates. The analytical results include the derivation of the basic reproduction number, $R_0$, along with equilibrium and stability analyses that provide insights into long-term system behavior. A focused scenario analysis compares the baseline dynamics with a more aggressive malware variant and a more effective quarantine response. The results show that increased infectivity sharply escalates the peak of infection, while enhanced quarantine measures effectively suppress it. This highlights the importance of prompt containment strategies even under more virulent conditions. The sensitivity analysis identifies the infection rate as the most influential parameter driving peak infection, while the quarantine rate exerts the most significant dampening effect. Monte Carlo simulations of parameter uncertainty reveal a consistently high epidemic potential across varied conditions. A parameter sweep across the infection–quarantine space further maps out the conditions under which malware outbreaks can be mitigated or prevented. Overall, the model demonstrates that mobile malware poses sustained epidemic risk under uncertainty, but effective control parameters—particularly quarantine—can drastically alter outbreak trajectories.

1. Introduction

The increase in malware-infected applications, particularly on the Google Play Store, poses a significant threat, often enabling botnet-driven Distributed Denial-of-Service (DDoS) attacks. Understanding the dynamics of malware propagation in Android devices is crucial for developing effective prevention and mitigation strategies. This article introduces a mathematical model based on an epidemic approach, similar to classical models for biological diseases or computer worms, to describe the malware spread in a homogeneous network of Android devices [1].

Smartphone malware and its evolution, infection vectors, potential damage, and propagation models have been previously investigated, with an emphasis on emerging trends [2,3]. Malware is broadly defined as software designed to disrupt, damage, or gain unauthorized access to a computer system [4,5], encompassing various forms like viruses, trojans, and bots, all characterized by malicious intent without user consent [6].

The frequency and sophistication of malware infections are escalating [7]. Cybercriminals continually develop new methods to exploit vulnerabilities, including targeted attacks for extortion using stolen data or asset control [8]. These tactics involve social engineering [9], phishing [10], and zero-day exploits [11]. Malware is also evolving with capabilities like timed concealment [12], mutation, encryption [13], and Advanced Persistent Threats (APTs) [14], rendering basic antivirus systems ineffective. Furthermore, attackers are increasingly targeting Internet of Things (IoT) environments due to their often weaker security [15]. In response, individuals and organizations are prioritizing advanced security measures, user education, and specialized cybersecurity services [7]. However, proactive collaborative strategies between industry, government, and researchers remain underdeveloped [16]. The current malware campaigns focus on profit generation through fraud, spam, authentication theft, data exfiltration, and botnet rentals [17]. Android OS malware is a prevalent threat due to the operating system’s open-source nature, widespread use, and the high volume of new applications, making it an easy target [18,19]. In 2023, nearly 33.8 million mobile attacks were thwarted, with adware being the most common (40.8%) [19], underscoring the need for robust evolving security. Malware can extract user data, control the OS, send unauthorized SMS messages, make calls, or install paid apps for illicit profit [20], motivating further study of Android OS malware.

Mathematical models of malware propagation help to estimate the potential impact of attacks, inform countermeasures, and support the development of effective defense strategies. By categorizing devices into compartments such as susceptible, infected, and recovered, ordinary differential equations (ODEs) can be used to describe the temporal evolution of these populations. Unlike biological epidemics—where model construction is often hindered by limited or noisy data [21,22,23]—the behavior of smartphone malware is often more observable and analyzable. Moreover, the finite number of smartphones introduces a natural logistic constraint on the spread. Given the complexity of constructing precise ODE models, we adopt a stylized yet mathematically tractable formulation. Despite its simplicity, this approach allows parameters to reflect the key technological aspects of the malware’s behavior.

Our proposed work presents a mathematical model ($M_{siqr}$) for mobile malware spread with the following main contributions:

• Quarantine modeling: Includes a quarantine compartment and dual recovery paths to reflect real containment behavior.
• Stability and $R_0$ analysis: Derive the basic reproduction number and determine when malware dies out or persists.
• Perturbation and sensitivity: Identify infection and quarantine rates as key parameters affecting outbreak size and timing.
• Optimal control: Designs time-based strategies to reduce infections and enhance quarantine, achieving high cost-effectiveness.
• Symmetry analysis: Examines time translation, rotational, reflection, and approximate scaling symmetries to simplify system behavior and support effective intervention timing.
• Simulations: Use Python simulations and Monte Carlo methods to validate results under different scenarios.
• Impact: Shows that control can delay infection peaks, speed up recovery, and reduce total damage.

This paper is structured as follows: Section 2 reviews the related studies and their limitations. Section 3 describes the $M_{siqr}$ model. Section 4 covers the equilibrium and stability analysis, including the reproduction number ${\mathcal{R}}_0$. Section 5 presents the simulation results and sensitivity analysis. Section 6 introduces the control strategies and compares their effectiveness. Section 7 discusses the main limitations and future work. Section 8 summarizes the findings.

2. Related Work

The study of mobile malware propagation has evolved significantly in recent years, with researchers developing various mathematical models to understand and predict malware spread patterns. Complex network theory has been applied to mobile phone virus propagation [24], establishing a foundation for network-based malware modeling. This work demonstrated how network topology influences infection dynamics but did not incorporate quarantine mechanisms or distinguish between different disconnection pathways that characterize modern mobile security protocols.

Epidemiological frameworks have been extended to investigate the impact of cybersecurity awareness on mobile malware propagation [25]. These approaches highlighted the importance of user behavior in malware containment, yet the models lack explicit quarantine compartments and do not differentiate between natural device turnover and malware-induced disconnections. This limitation reduces the model’s applicability to scenarios where active isolation strategies are employed.

Network automata approaches have been developed for modeling malware spread over SMS networks [26], focusing on discrete-time dynamics and cellular communication vectors. While these methods capture SMS-specific propagation mechanisms, they do not address the continuous-time dynamics essential for real-time malware response systems, nor do they incorporate recovery pathways that account for both direct recovery and post-quarantine rehabilitation.

Recent advances in malware modeling have explored more sophisticated compartmental structures. Epidemiological-inspired models for self-propagating malware have emerged as powerful tools for understanding cyber threats [27], demonstrating how traditional epidemic frameworks can be adapted to cyber security, yet these approaches lack mobile-specific considerations such as device mobility and network heterogeneity. Quarantine strategies in networks with heterogeneous immunity have been investigated [28], focusing on network-level isolation mechanisms but not addressing device-specific quarantine states that characterize mobile security protocols.

Traditional SIRA (Susceptible, Infected, Removed, Antidotal) models have been extended to incorporate quarantine mechanisms [29], although these approaches primarily focus on network-level isolation rather than the dual recovery pathways observed in mobile environments. SEIRS-based models for mobile device malware propagation have been developed to capture reinfection dynamics [30], yet they typically assume homogeneous device populations and do not differentiate between various disconnection mechanisms that characterize mobile networks.

Comprehensive frameworks for mathematical models of malware propagation have been proposed [31], highlighting the need for more sophisticated approaches that capture network complexity. However, these models often lack the granular treatment of mobile-specific characteristics such as device turnover and malware-induced performance degradation. The SUIQR (Susceptible, Undetectable, Infected, Quarantined, Recovered) model has been developed [32], representing a significant advancement in incorporating quarantine dynamics for wireless sensor networks, yet this model does not address the dual recovery pathways observed in mobile environments.

SEIRS–NIMFA models for IoT networks have been proposed [33], focusing on latency periods in malware propagation, but these approaches do not distinguish between natural device turnover and malware-induced disconnections. Comprehensive reviews of mathematical models for malware propagation [34] reveal that most existing approaches are based on ordinary differential equations but fail to capture individual device characteristics and dynamic behaviors, a limitation particularly pronounced in mobile environments where device heterogeneity, user behavior variability, and network mobility patterns significantly influence malware spread dynamics.

Despite these advances, the existing models exhibit several critical gaps. First, they typically employ simplified compartmental structures that fail to capture the complexity of modern mobile security ecosystems, particularly the role of quarantine as an active containment strategy. Second, most models do not distinguish between different types of device disconnection—natural turnover versus malware-induced failures—which is crucial for accurate parameter estimation and control strategy design. Third, the existing frameworks often overlook the dual recovery pathways observed in practice, where devices may recover either through direct intervention or following a quarantine period. The $M_{siqr}$ model addresses these limitations by introducing a dedicated quarantine compartment ($M_q$) that reflects contemporary mobile security practices, explicitly modeling three distinct disconnection mechanisms (${\delta }_1$, ${\delta }_2$, and ${\delta }_3$) to capture the heterogeneity of device departure processes, and incorporating dual recovery pathways (${\theta }_2$ and q) that align with real-world malware remediation strategies. Unlike existing models that treat quarantine as a simple removal mechanism, our approach distinguishes between active quarantine states and various forms of device disconnection, providing a more nuanced understanding of mobile malware dynamics. This comprehensive framework enables more accurate prediction of malware propagation patterns and supports the development of targeted intervention strategies for mobile network security.

3. Methodology and Model Formulation

To study the propagation dynamics of malware in mobile networks, we propose a compartmental model denoted as $M_{siqr}$, which divides the mobile device population into four interacting classes: susceptible ($M_s$), infected ($M_i$), quarantined ($M_q$), and recovered ($M_r$). This model adopts the structure of classical epidemic frameworks but is tailored to reflect the unique characteristics of mobile malware, including device turnover and malware-induced disconnection.

The model is represented by a system of nonlinear ordinary differential equations (1) that govern the evolution of each compartment over time. The equations are given by

$$\begin{array}{cc}\hfill \dot{M_s}& =\lambda -\mathsf{\Pi }{M}_s{M}_i-{\delta }_1{M}_s\hfill \\ \hfill \dot{M_i}& =\mathsf{\Pi }{M}_s{M}_i-\theta M_i-{\delta }_1{M}_i-{\delta }_2{M}_i\hfill \\ \hfill \dot{M_q}& ={\theta }_1{M}_i-q{M}_q-{\delta }_1{M}_q-{\delta }_3{M}_q\hfill \\ \hfill \dot{M_r}& =q{M}_q+{\theta }_2{M}_i-{\delta }_1{M}_r\hfill \end{array}$$

(1)

where $\theta ={\theta }_1+{\theta }_2$ over the region $\mathcal{N}=\{p=(M_s,M_i,M_q,M_r):p_i\ge 0,M_N\le {\displaystyle \frac{\lambda }{{\delta }_1}}\}$, where $M_N=M_s+M_i+M_q+M_r$.

Figure 1 visualizes the spread and control of mobile malware.

Table 1. Definitions of parameters used in the $M_{siqr}$ mobile malware propagation model.

Parameter	Description
$M_s$	Susceptible mobiles: Devices vulnerable to malware infection.
$M_i$	Infected mobiles: Devices compromised by malware.
$M_r$	Recovered mobiles: Devices that have recovered from malware infection.
$M_q$	Isolated mobiles: Devices isolated from the network to prevent malware spread.
$\mathsf{\Pi }$	Effective contact rate
${\theta }_1$	Quarantine rate
${\theta }_2$	Recovery rate
q	Rate of quarantine to become recovered
$\lambda$	Rate of growth of the mobile network
${\delta }_1$	Natural disconnected rate of mobiles from the network
${\delta }_2$	Disconnected by malware effects
${\delta }_3$	Disconnected by malware for quarantined mobiles

outlines the meaning of each variable and parameter in the differential equation system.

Model (1) parameters are operationally defined through measurable mobile network behaviors. The effective contact rate $\mathsf{\Pi }$ represents successful malware transmissions per device pair per day, quantified via Bluetooth and WiFi Direct proximity logs. Network growth rate $\lambda$ corresponds to new device activations recorded in carrier provisioning systems. Quarantine rate ${\theta }_1$ reflects the inverse of mean detection time from mobile security services, while recovery rate ${\theta }_2$ captures devices cleared through OS updates or user remediation. Disconnection parameters include ${\delta }_1$ for natural device turnover from carrier churn metrics, ${\delta }_2$ for malware-induced disconnections via performance thresholds, and ${\delta }_3$ for carrier-enforced isolation of compromised devices.

Each parameter’s measurement derives from established protocols. Transmission rates use packet sniffing and proximity detection. Containment parameters draw from security service telemetry with temporal resolution matching actual response cycles. Disconnection metrics follow 3GPP and GSMA reporting standards for mobile networks. Validation occurs through historical outbreak comparisons, with parameter ranges constrained by empirical observations from documented malware campaigns and carrier network statistics. This operational grounding ensures all theoretical parameters correspond to measurable network phenomena while maintaining model tractability.

We begin our model validation and analysis with the following theorem to demonstrate that the total number of devices remains non-negative and bounded over time, ensuring the model’s consistency and feasibility.

Theorem 1.

($\mathcal{N}$) is a positive invariant set, where the closed set $\mathcal{N}$ is defined by $\mathcal{N}=\{p=(M_s,M_i,M_q,M_r):p_i\ge 0,M_N\le {\displaystyle \frac{\lambda }{\delta }}\}$.

Proof. 

Let $M_N=M_s+M_i+M_q+M_r$ be the total network nodes. Then, $\dot{M_N}=\dot{M_s}+\dot{M_i}+\dot{M_q}+\dot{M_r}$. Using the main model (1), we can obtain $\dot{M_N}=\lambda -{\delta }_1(M_s+M_i+M_q+M_r)-{\delta }_1{M}_i-{\delta }_2{M}_q\le \lambda -{\delta }_1{M}_N\Rightarrow \dot{M_N}\le \lambda -{\delta }_1{M}_N$. Therefore, theorem [35] can be used to prove that $M_N\le M_N\left(0\right)e^{-\delta t}+{\displaystyle \frac{\lambda }{\delta }}(1-e^{-\delta t})$. In particular, if $M_N\left(0\right)\le {\displaystyle \frac{\lambda }{\delta }}$, then $M_N\left(t\right)\le {\displaystyle \frac{\lambda }{\delta }}$ as required. This shows that $\mathcal{N}$ is positively invariant.    □

The $M_{siqr}$ mobile malware model offers a comprehensive framework that bridges theoretical analysis with practical cybersecurity insights. It establishes mathematical well-posedness via positive invariance, derives the basic reproduction number ${\mathcal{R}}_0$ as a persistence threshold, and provides closed-form expressions for equilibrium states. The model innovatively incorporates quarantine dynamics ($M_q$), distinguishes disconnection pathways (${\delta }_1$, ${\delta }_2$, and ${\delta }_3$), and captures recovery both directly (${\theta }_2$) and post-quarantine (q). These features enhance predictive capabilities, support outbreak assessment, and guide malware control strategies. By adapting epidemiological modeling to mobile networks, the model remains analytically tractable while laying the groundwork for optimal mobile security interventions.

Our model assumes uniform interaction patterns, while real mobile networks exhibit heterogeneous connectivity and device susceptibility. The relationship between $R_0^{\mathrm{hom}}$ (reproduction number under homogeneous mixing) and $R_0^{\mathrm{true}}$ (actual reproduction number in heterogeneous networks) follows [24]:

$$R_0^{\mathrm{hom}}=R_0^{\mathrm{true}}·\left(1+{\displaystyle \frac{\mathrm{Var}\left(k\right)}{{\langle k\rangle }^2}}\right)·\left(1+{\displaystyle \frac{\mathrm{Var}\left(\beta \right)}{{\langle \beta \rangle }^2}}\right)$$

For Android networks, connectivity variance gives ${\displaystyle \frac{\mathrm{Var}\left(k\right)}{{\langle k\rangle }^2}}\approx 0.18$ and security behavior variance yields ${\displaystyle \frac{\mathrm{Var}\left(\beta \right)}{{\langle \beta \rangle }^2}}\approx 0.12$ [25,26].

The combined effect results in $R_0^{\mathrm{hom}}\approx 1.32R_0^{\mathrm{true}}$, overestimating by $32\%$. This conservative bias is beneficial for security assessment as it provides safety margins. The epidemic threshold remains valid: $R_0^{\mathrm{hom}}>1\iff R_0^{\mathrm{true}}>0.76$.

Our homogeneous assumption simplifies network clustering and temporal variations but maintains qualitative dynamics with only $0.1$ absolute error in threshold detection. The $32\%$ overestimation compensates for these simplifications, making the model suitable for preliminary threat assessment and control strategy evaluation.

4. Equilibrium Analysis and Stability of the Malware Spread Model

This involves proving that the total number of devices does not decrease below zero and remains within a certain bound. Equilibrium points are crucial as they represent the states where the system remains constant over time, meaning there are no changes in the number of devices in each compartment.

Let the system (1) (right-hand side) equal to zero:

$$(\dot{M_s},\dot{M_i},\dot{M_q},\dot{M_r})=\overrightarrow{\mathbf{0}}$$

(2)

A trivial solution of (2) is the malware-free equilibrium point $MF{E}_0=\left({\displaystyle \frac{\lambda }{{\delta }_1}},0,0,0\right)$.

The second equilibrium point, representing a successful mobile attack equilibrium (SME), can be derived by solving the system of equations. Using analytical methods, we obtain

$$\begin{array}{cc}\hfill M_s^{*}& ={\displaystyle \frac{\lambda }{{\delta }_1}}{\displaystyle \frac{1}{{\mathcal{R}}_0}}\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill M_i^{*}& ={\displaystyle \frac{{\delta }_1}{\mathsf{\Pi }}}\left({\mathcal{R}}_0-1\right)\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill M_q^{*}& ={\displaystyle \frac{{\theta }_1{\delta }_1}{({\delta }_1+{\delta }_3+q)\mathsf{\Pi }}}\left({\mathcal{R}}_0-1\right)\hfill \end{array}$$

(5)

$$\begin{array}{cc}\hfill M_r^{*}& ={\displaystyle \frac{{\theta }_2{M}_i^{*}+q{M}_q^{*}}{{\delta }_1}}\hfill \end{array}$$

(6)

where the basic reproduction number ${\mathcal{R}}_0$ is given by

$${\mathcal{R}}_0={\displaystyle \frac{\lambda \mathsf{\Pi }}{{\delta }_1({\delta }_1+{\delta }_2+{\theta }_1+{\theta }_2)}}$$

(7)

This expression for ${\mathcal{R}}_0$ has a clear epidemiological interpretation: it represents the product of

• ${\displaystyle \frac{\lambda }{{\delta }_1}}$: the average number of susceptible mobile devices in the absence of malware;
• ${\displaystyle \frac{\mathsf{\Pi }}{{\delta }_1+{\delta }_2+{\theta }_1+{\theta }_2}}$: the infection contribution of a single infected device during its infectious period.

By substituting the expression for $M_i^{*}$ into the formula for $M_r^{*}$, we can obtain an explicit expression as follows:

$$\begin{array}{cc}\hfill M_r^{*}& ={\displaystyle \frac{{\theta }_2{M}_i^{*}+q{M}_q^{*}}{{\delta }_1}}={\displaystyle \frac{{\theta }_2\frac{{\delta }_1}{\mathsf{\Pi }}({\mathcal{R}}_0-1)+q\frac{{\theta }_1{\delta }_1}{({\delta }_1+{\delta }_3+q)\mathsf{\Pi }}({\mathcal{R}}_0-1)}{{\delta }_1}}\hfill \\ \hfill & ={\displaystyle \frac{{\delta }_1}{\mathsf{\Pi }{\delta }_1}}({\mathcal{R}}_0-1)\left[{\theta }_2+{\displaystyle \frac{q{\theta }_1}{({\delta }_1+{\delta }_3+q)}}\right]={\displaystyle \frac{1}{\mathsf{\Pi }}}({\mathcal{R}}_0-1)\left[{\theta }_2+{\displaystyle \frac{q{\theta }_1}{({\delta }_1+{\delta }_3+q)}}\right]\hfill \end{array}$$

Importantly, the endemic equilibrium point $SME$ only exists when ${\mathcal{R}}_0>1$ as this ensures all compartments are non-negative.

Introducing these equilibrium points helps us to understand the long-term behavior of the system and the conditions under which the malware infection can be eradicated or persist within the mobile network.

Corollary 1.

The system (1) has exactly two equilibrium points:

• Malware-free equilibrium: $MF{E}_0=\left({\displaystyle \frac{\lambda }{{\delta }_1}},0,0,0\right)$ when ${\mathcal{R}}_0\le 1$.
• Successful mobile attack equilibrium: $SM{E}^{*}=(M_s^{*},M_i^{*},M_q^{*},M_r^{*})$ when ${\mathcal{R}}_0>1$.

Theorem 2.

For the malware-free equilibrium $MF{E}_0=\left({\displaystyle \frac{\lambda }{{\delta }_1}},0,0,0\right)$ of system (1), the following statements hold:

• $MF{E}_0$ is locally asymptotically stable when ${\mathcal{R}}_0<1$.
• $MF{E}_0$ is unstable when ${\mathcal{R}}_0>1$.
• $MF{E}_0$ is globally asymptotically stable when ${\mathcal{R}}_0<1$.

Proof. 

To determine the local stability, we evaluate the Jacobian matrix at $MF{E}_0$:    

$$J\left(MF{E}_0\right)=\left(\begin{array}{cccc}-{\delta }_1& -\mathsf{\Pi }{\displaystyle \frac{\lambda }{{\delta }_1}}& 0& 0\\ 0& \mathsf{\Pi }{\displaystyle \frac{\lambda }{{\delta }_1}}-({\delta }_1+{\delta }_2+{\theta }_1+{\theta }_2)& 0& 0\\ 0& {\theta }_1& -({\delta }_1+q+{\delta }_3)& 0\\ 0& {\theta }_2& q& -{\delta }_1\end{array}\right)$$

(8)

The eigenvalues of $J\left(MF{E}_0\right)$ are shown in

Table 2. Eigenvalues of the Jacobian matrix at $MF{E}_0$.

${\lambda }_1$	${\lambda }_2$	${\lambda }_3$	${\lambda }_4$
$-{\delta }_1$	$({\delta }_1+{\delta }_2+{\theta }_1+{\theta }_2)({\mathcal{R}}_0-1)$	$-({\delta }_1+{\delta }_3+q)$	$-{\delta }_1$

.

When ${\mathcal{R}}_0<1$, all eigenvalues listed in Table 2 have negative real parts, confirming that $MF{E}_0$ is locally asymptotically stable. When ${\mathcal{R}}_0>1$, ${\lambda }_2>0$, making $MF{E}_0$ unstable.

For global stability when ${\mathcal{R}}_0<1$, consider the Lyapunov function:

$$\mathcal{L}\left(t\right)=M_i\left(t\right)$$

(9)

The time derivative of $\mathcal{L}$ along the solutions of system (1) is

$$\begin{array}{cc}\hfill \dot{\mathcal{L}}& =\dot{M_i}\hfill \end{array}$$

(10)

$$\begin{array}{cc}\hfill & =\mathsf{\Pi }{M}_s{M}_i-({\delta }_1+{\delta }_2+{\theta }_1+{\theta }_2)M_i\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill & \le \mathsf{\Pi }{\displaystyle \frac{\lambda }{{\delta }_1}}{M}_i-({\delta }_1+{\delta }_2+{\theta }_1+{\theta }_2)M_i\hfill \end{array}$$

(12)

$$\begin{array}{cc}\hfill & =({\delta }_1+{\delta }_2+{\theta }_1+{\theta }_2)({\mathcal{R}}_0-1)M_i\hfill \end{array}$$

(13)

Since ${\mathcal{R}}_0<1$, we have $\dot{\mathcal{L}}\le 0$ for all $M_i>0$, with equality only when $M_i=0$. By LaSalle’s invariance principle, all solutions converge to the largest invariant set where $\dot{\mathcal{L}}=0$, which is precisely $MF{E}_0$. Therefore, $MF{E}_0$ is globally asymptotically stable when ${\mathcal{R}}_0<1$.    □

Theorem 3.

The endemic equilibrium point $SM{E}^{*}$ of system (1) is

• locally asymptotically stable when ${\mathcal{R}}_0>1$.
• globally asymptotically stable when ${\mathcal{R}}_0>1$.

Proof. 

For local stability analysis, we compute the Jacobian matrix at $SM{E}^{*}$:

$$J\left(SM{E}^{*}\right)=\left(\begin{array}{cccc}-{\delta }_1-\mathsf{\Pi }{M}_i^{*}& -\mathsf{\Pi }{M}_s^{*}& 0& 0\\ \mathsf{\Pi }{M}_i^{*}& \mathsf{\Pi }{M}_s^{*}-({\delta }_1+{\delta }_2+{\theta }_1+{\theta }_2)& 0& 0\\ 0& {\theta }_1& -({\delta }_1+{\delta }_3+q)& 0\\ 0& {\theta }_2& q& -{\delta }_1\end{array}\right)=\left(\begin{array}{cc}A& \mathbf{0}\\ C& B\end{array}\right)$$

(14)

where

$$\begin{array}{cc}\hfill A& =\left(\begin{array}{cc}-{\delta }_1-\mathsf{\Pi }{M}_i^{*}& -\mathsf{\Pi }{M}_s^{*}\\ \mathsf{\Pi }{M}_i^{*}& \mathsf{\Pi }{M}_s^{*}-({\delta }_1+{\delta }_2+{\theta }_1+{\theta }_2)\end{array}\right)\hfill \end{array}$$

(15)

$$\begin{array}{cc}\hfill B& =\left(\begin{array}{cc}-({\delta }_1+{\delta }_3+q)& 0\\ q& -{\delta }_1\end{array}\right)\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill C& =\left(\begin{array}{cc}0& {\theta }_1\\ 0& {\theta }_2\end{array}\right)\hfill \end{array}$$

(17)

The eigenvalues of $J\left(SM{E}^{*}\right)$ are the eigenvalues of matrices A and B.

Since ${\mathcal{R}}_0>1$, we can show that $\mathrm{tr}\left(A\right)<0$ and $\det \left(A\right)>0$.

This ensures that ${\lambda }_3$ and ${\lambda }_4$ have negative real parts. Combined with ${\lambda }_1,{\lambda }_2<0$, all eigenvalues have negative real parts, as shown in

Table 3. Eigenvalues of the Jacobian matrix at $SM{E}^{*}$.

From Matrix B	From Matrix A
${\lambda }_1=-({\delta }_1+{\delta }_3+q)$	${\lambda }_3={\displaystyle \frac{-\mathrm{tr}\left(A\right)+\sqrt{{\left(\mathrm{tr}\left(A\right)\right)}^2-4\det \left(A\right)}}{2}}$
${\lambda }_2=-{\delta }_1$	${\lambda }_4={\displaystyle \frac{-\mathrm{tr}\left(A\right)-\sqrt{{\left(\mathrm{tr}\left(A\right)\right)}^2-4\det \left(A\right)}}{2}}$

. By the Routh–Hurwitz criterion, $SM{E}^{*}$ is locally asymptotically stable.

For global stability when ${\mathcal{R}}_0>1$, consider the following Lyapunov function:

$$\mathcal{L}={\displaystyle \frac{{(M_s-M_s^{*})}^2}{2}}+M_s^{*}{M}_i^{*}\left({\displaystyle \frac{M_i}{M_i^{*}}}-ln{\displaystyle \frac{M_i}{M_i^{*}}}-1\right)$$

(18)

The time derivative of $\mathcal{L}$ along the solutions of system (1) is

$$\dot{\mathcal{L}}=-({\delta }_1+\mathsf{\Pi }{M}_i){(M_s-M_s^{*})}^2$$

(19)

Since $M_i\ge 0$ and ${\delta }_1>0$, we have $\dot{\mathcal{L}}\le 0$ for all values in the feasible region, with equality only at $SM{E}^{*}$. By LaSalle’s invariance principle, all solutions converge to $SM{E}^{*}$, proving that the endemic equilibrium is globally asymptotically stable when ${\mathcal{R}}_0>1$.    □

The stability analysis presented above provides a comprehensive understanding of the long-term behavior of the mobile malware propagation model. When ${\mathcal{R}}_0<1$, the malware-free equilibrium is both locally and globally asymptotically stable, indicating that the malware will eventually be eradicated from the system. When ${\mathcal{R}}_0>1$, the endemic equilibrium becomes both locally and globally asymptotically stable, meaning that malware will persist in the system at levels determined by the endemic equilibrium.

These theoretical results have significant practical implications for mobile security strategies. They establish a clear threshold condition (${\mathcal{R}}_0=1$) that separates two qualitatively different long-term behaviors of the system. Control measures should be designed to reduce ${\mathcal{R}}_0$ below unity to ensure the eradication of malware from the mobile network.

5. Numerical Methods and Implementation

To complement the analytical results, we perform numerical simulations to visualize the malware spread dynamics under various parameter settings. The model is implemented in Python using numpy, matplotlib.pyplot, scipy.integrate.solve_ivp, scipy.optimize.minimize, pandas, mpl_toolkits.mplot3d.Axes3D, and sympy libraries for numerical integration and plotting. Key outputs include time-series plots of each compartment and sensitivity analysis results, allowing for the assessment of control measures and model robustness.

Table 4. Parameters and values in the $M_{siqr}$ model.

Parameter	$\mathsf{\Pi }$	${\theta }_1$	${\theta }_2$	q	$\lambda$	${\delta }_1$	${\delta }_2$	${\delta }_3$
Value	0.015–0.085	0.12–0.18	0.05–0.10	0.20–0.35	0.001–0.005	0.01–0.03	0.15–0.25	0.08–0.12

values were obtained from (1) malware campaign analyses (Ghost Push, HummingBad [36]) for $\mathsf{\Pi }$ and ${\delta }_2$, (2) antivirus reports (Google Play Protect, Kaspersky [37]) for ${\theta }_1$, and (3) network statistics (GSMA, Ericsson [38]) for $\lambda$ and ${\delta }_1$. Fitted parameters (${\theta }_2$ and q) were calibrated via Monte Carlo simulations constrained by outbreak case studies [39]. All time-dependent parameters use units of day⁻¹.

Limitations include the following: (1) spatial homogeneity assumption (15–25% transmission overestimation), (2) static parameters ignoring temporal variations, and (3) uniform susceptibility despite real-world device heterogeneity (30% OS patch lag). Values represent global averages from 2022–2023 datasets, with regional variations expected.

The dynamics of malware propagation, both over time and also under varying conditions of the basic reproduction number $R_0$, are well illustrated in Figure 2a,b, representing those scenarios where $R_0<1$, meaning the malware will eventually be disabled. Figure 2a shows this scenario of a short-term span, and Figure 2b shows this over a long-term span; both are consistent in showing the eventual decline (and eradication) of the malware as a result of effective containment.

By contrast, when $R_0>1$, this indicates the malware propagation impact is increasing over time. Figure 2 demonstrates this increase in impact in the short-term and long-term in Figure 2c and Figure 2d, respectively. Here, the variables either increase or maintain levels, indicating the persistence and spread of the malware. This comparison highlights the critical threshold of $R_0$ in determining the success or failure of malware containment efforts.

The bars in Figure 3 corresponding to $\lambda$ and $\mathsf{\Pi }$ are positive, indicating a direct correlation with $R_0$; as these parameters increase, so does $R_0$. Conversely, ${\delta }_1$, ${\delta }_2$, ${\theta }_1$, and ${\theta }_2$ have negative PRCC values, suggesting an inverse relationship; as these parameters increase, $R_0$ decreases. Notably, ${\delta }_1$ has the smallest negative value among the parameters.

The PRCC analysis of the mobile malware model reveals key parameter sensitivities affecting $R_0$. The contact rate $\mathsf{\Pi }$ shows the strongest positive correlation with $R_0$, meaning higher device-to-device transmission rates increase epidemic spread through Bluetooth, WiFi, and shared networks. The recruitment rate $\lambda$ has moderate positive correlation, indicating that adding new devices to the network raises infection risk.

The quarantine rate ${\theta }_1$ exhibits the strongest negative correlation, proving that rapid detection and isolation of infected devices is the most effective control strategy. Both malware removal rate ${\delta }_2$ and natural device retirement ${\delta }_1$ show moderate negative correlations, demonstrating that cybersecurity measures and device turnover reduce epidemic spread.

This analysis confirms that investing in automated detection and quarantine systems provides the highest return for mobile network security, supporting the finding that proactive containment outperforms responses to increased threat virulence.

Figure 4 presents four contour plots and gradient color visualizations that illustrate the basic reproduction number, $R_0$, in relation to different parameters. Contour plots and gradient color visualizations like the ones above constitute essential channels for the provision of insights and better understanding of how different parameters influence the basic reproduction number, $R_0$, and can help in designing effective control strategies for managing the spread of infections.

As per Figure 4a, showing the relationship between ${\theta }_1$ and ${\theta }_2$ with $R_0<1$, the contour lines and gradient colors are consistent with conditions wherein the malware infection rate is under control.

Moving to Figure 4b, which maps ${\theta }_1$ against ${\theta }_2$, for $R_0>1$, we can see that there are contour lines and gradient colors that are consistent with a higher rate of infection and possible loss of control against the malware.

Figure 4c examines the parameters ${\delta }_2$ (x-axis) and $\mathsf{\Pi }$ (y-axis) for $R_0>1$. The contour lines and gradient colors are consistent with the indication that the malware infection is likely to proliferate.

Finally, Figure 4d, like Figure 4c, maps ${\delta }_2$ against $\mathsf{\Pi }$ with $R_0<1$. The contour lines and gradient colors in this case indicate conditions under which the infection spread is contained.

The transmission dynamics of mobile malware are governed by the autonomous system (1). The system’s structural symmetries emerge from three fundamental transformations: time translation invariance manifests through the generator $X_t={\partial }_t$, reflecting the system’s autonomy. For any solution $\mathbf{x}\left(t\right)=(M_s\left(t\right),M_i\left(t\right),M_q\left(t\right),M_r\left(t\right))$, the time-shifted trajectory $\mathbf{x}(t+\tau )$ satisfies the same dynamics. This symmetry implies that malware propagation patterns are independent of absolute time measurements: an outbreak beginning today will follow the same progression as one starting tomorrow given identical conditions.

Reflection symmetry appears about the disease-free equilibrium plane $\mathcal{P}=\left\{(M_s,\mathrm{0,0,0})\right|$$M_s=\lambda /{\delta }_1\}$. The transformation

$$\mathcal{R}:\left\{\begin{array}{c}{M}_s\mapsto 2M_s^{*}-M_s\hfill \\ M_i\mapsto M_i\hfill \\ M_q\mapsto M_q\hfill \\ M_r\mapsto M_r\hfill \end{array}\right.,M_s^{*}=\lambda /{\delta }_1$$

(20)

yields approximately antisymmetric dynamics $\mathbf{f}\left(\mathcal{R}\mathbf{x}\right)\approx -\mathcal{R}\mathbf{f}\left(\mathbf{x}\right)$ in the vicinity of $\mathcal{P}$. Epidemiologically, this reveals a critical threshold behavior: populations with susceptible counts equidistant from $M_s^{*}$ but on opposite sides exhibit mirrored infection trajectories.

Rotational invariance emerges near endemic equilibria ${\mathbf{x}}^{*}=(M_s^{*},M_i^{*},M_q^{*},M_r^{*})$ in the $(M_s,M_i)$ subspace. For rotation operator $R_{\theta }$ and small perturbations $\mathit{ϵ}$:

$$\mathbf{f}({\mathbf{x}}^{*}+R_{\theta }\mathit{ϵ})\approx R_{\theta }\mathbf{f}({\mathbf{x}}^{*}+\mathit{ϵ})$$

(21)

The spiral stability of endemic states becomes apparent when examining phase portraits, where trajectories from various initial angles converge uniformly toward ${\mathbf{x}}^{*}$. The equilibrium coordinates

$$\begin{array}{cc}\hfill M_s^{*}& ={\displaystyle \frac{\theta +{\delta }_1+{\delta }_2}{\mathsf{\Pi }}}\hfill \\ \hfill M_i^{*}& ={\displaystyle \frac{{\delta }_1({\mathcal{R}}_0-1)}{\mathsf{\Pi }}},{\mathcal{R}}_0={\displaystyle \frac{\mathsf{\Pi }\lambda }{{\delta }_1(\theta +{\delta }_1+{\delta }_2)}}\hfill \\ \hfill M_q^{*}& ={\displaystyle \frac{{\theta }_1}{\kappa }}{M}_i^{*},\kappa =q+{\delta }_1+{\delta }_3\hfill \end{array}$$

(22)

contain the basic reproduction number ${\mathcal{R}}_0$, highlighting how symmetry properties connect to epidemiological parameters.

Approximate scaling symmetry is generated by

$$X_s=\alpha t{\partial }_t+\sum _{k\in \{s,i,q,r\}}{\beta }_k{M}_k{\partial }_{M_k}$$

(23)

Numerical optimization reveals optimal scaling weights $(\alpha ,{\beta }_s,{\beta }_i,{\beta }_q,{\beta }_r)\approx$ (1.0, 1.0, 1.0, 1.0, 1.0) with residual error $\mathcal{O}\left({10}^{-3}\right)$, indicating nearly perfect dimensional homogeneity. The slight deviations originate from the constant recruitment term $\lambda$ in (1), which breaks exact scalability.

These symmetry properties collectively induce two conserved quantities through Noether’s theorem:

$$\begin{array}{cc}\hfill I_1& =e^{-\alpha t}\prod _k{M}_k^{{\beta }_k}\hfill \\ \hfill I_2& ={(M_s-M_s^{*})}^2+M_i^2\hfill \end{array}$$

(24)

where $I_1$ corresponds to scaling symmetry and $I_2$ to rotational invariance. The preservation of these quantities along trajectories provides model reduction opportunities: the 4D system can be analyzed through 2D symmetry-adapted coordinates without loss of dynamical information.

Figure 5a: Phase space trajectory showing the relationship between susceptible mobile devices ($M_s$) and infected mobile devices ($M_i$). The blue solid line represents the original trajectory, while the red dashed line shows the same trajectory with a time shift. The perfect overlap confirms that solutions maintain their shape under time translation, with only their position in time changing. Figure 5b: Multiple trajectories with different initial conditions, all exhibiting the same fundamental dynamics but translated in the phase space. The black arrow indicates the direction of translation.

This symmetry property is crucial for cybersecurity planning as it implies that the same containment strategies will be equally effective regardless of when an outbreak is detected and response measures are implemented.

This visualization in Figure 6 displays trajectories in the susceptible ($M_s$), infected ($M_i$), and ($M_q$) phase spaces for the mobile malware model. Trajectories originating from an initial circle (dashed green) of perturbed states around the endemic equilibrium (red dot) demonstrate convergence towards this stable point, illustrating its role as an attractor in the system.

Figure 7 examines symmetry aspects of the $M_{siqr}$ mobile malware model in the susceptible ($M_s$)–infected ($M_i$) phase plane. For Figure 7a dynamics near disease-free equilibrium (DFE), the vector field and sample trajectories illustrate system convergence to the DFE ($M_s=50.0,M_i=0.0$), indicating stability for sub-critical parameters (${\mathcal{R}}_0<1$). The vertical line ($M_s=50.0$) is a visual reference. Figure 7b includes a test for approximate scaling symmetry. The original model trajectory (solid black) is compared against solutions derived from scaled initial conditions/parameters and then transformed back. Deviations of the scaled-back dashed trajectories from the original suggest the absence of exact scaling symmetry in the $M_{siqr}$ model.

Reflection symmetry validation: disease-free equilibrium: $M_s=10.00,M_i=0.00$.

Figure 8 demonstrates reflection symmetry around the disease-free equilibrium line $Ms=\lambda /{\delta }_1$. Initial conditions equidistant from the DFE but on opposite sides show mirrored behavior. While not an exact symmetry due to nonlinearities, the mirrored behavior is clear in the vector field and in the early dynamics of trajectories starting from symmetric initial conditions.

6. Optimal Control Strategy Framework

6.1. Control Problem Formulation and Implementation

The $M_{siqr}$ model describes malware dynamics via the ordinary differential equations:    

$$\begin{array}{cc}\hfill \dot{M_s}\left(t\right)& =\lambda -{\mathsf{\Pi }}_{eff}\left(t\right)M_s\left(t\right)M_i\left(t\right)-{\delta }_1{M}_s\left(t\right)\hfill \\ \hfill \dot{M_i}\left(t\right)& ={\mathsf{\Pi }}_{eff}\left(t\right)M_s\left(t\right)M_i\left(t\right)-({\theta }_{1,eff}\left(t\right)+{\theta }_2)M_i\left(t\right)-{\delta }_1{M}_i\left(t\right)-{\delta }_2{M}_i\left(t\right)\hfill \\ \hfill \dot{M_q}\left(t\right)& ={\theta }_{1,eff}\left(t\right)M_i\left(t\right)-q{M}_q\left(t\right)-{\delta }_1{M}_q\left(t\right)-{\delta }_3{M}_q\left(t\right)\hfill \\ \hfill \dot{M_r}\left(t\right)& =q{M}_q\left(t\right)+{\theta }_2{M}_i\left(t\right)-{\delta }_1{M}_r\left(t\right)\hfill \end{array}$$

(25)

Time-dependent controls $u_1\left(t\right)$ and $u_2\left(t\right)$ are introduced to modify the system dynamics. The first control $u_1\left(t\right)$ reduces the contact rate through cybersecurity interventions such as network isolation protocols, application store security filters, and user behavior modification through awareness campaigns. The effective contact rate becomes ${\mathsf{\Pi }}_{eff}\left(t\right)={\mathsf{\Pi }}_{base}(1-u_1\left(t\right))$, with $0\le u_1\left(t\right)\le u_{1,max}=0.8$. The second control $u_2\left(t\right)$ enhances quarantine capabilities through automated malware detection and device isolation, rapid response security protocols, and accelerated forensic analysis. This yields an enhanced quarantine rate ${\theta }_{1,eff}\left(t\right)={\theta }_{1,base}+u_2\left(t\right)$, with $0\le u_2\left(t\right)\le u_{2,max}=0.5$. The rationale for this dual-control approach is based on the epidemiological principle that effective containment requires both transmission reduction and rapid isolation of infected entities.

The optimal control problem aims to find admissible controls $(u_1^{*}\left(t\right),u_2^{*}\left(t\right))$ that minimize the objective functional J over $[0,T]$:

$$J[u_1,u_2]={\int }_0^T\left(A_1{M}_i\left(t\right)+A_2{M}_q\left(t\right)+{\displaystyle \frac{B_1}{2}}{u}_1{\left(t\right)}^2+{\displaystyle \frac{B_2}{2}}{u}_2{\left(t\right)}^2\right)dt$$

(26)

where $A_1=10$ represents the weight for infected population cost, $A_2=5$ denotes the weight for quarantined population cost, $B_1=100$ is the cost weight for contact reduction control, and $B_2=150$ is the cost weight for quarantine enhancement control. This problem is subject to the state equations and given initial conditions.

A direct numerical method is employed for solution implementation. The control functions $u_1\left(t\right)$ and $u_2\left(t\right)$ are discretized into $N_{int}=50$ piecewise constant values $\{u_{1,k},u_{2,k}\}$ over subintervals of $[0,T]$, where $T=50$ days. For any set of these discretized control values, the state ODE system is numerically integrated using an RK45 method via scipy.integrate.solve_ivp with relative tolerance $rtol=1\times {10}^{-8}$ and absolute tolerance $atol=1\times {10}^{-10}$. The objective functional J is then approximated using the trapezoidal rule via numpy.trapz. A nonlinear programming solver SLSQP via scipy.optimize.minimize is utilized to find the optimal set of discretized control values $\{u_{1,k}^{*},u_{2,k}^{*}\}$ that minimize J, subject to the defined bounds on $u_{j,k}$, with maximum iterations set to 1000 and convergence tolerance of $1\times {10}^{-8}$. The existence of such an optimal control is generally supported by the convexity of J with respect to the controls due to the quadratic terms and the boundedness of the state variables within the model’s feasible region. The summary of this technique is provided in Algorithm 1.

The resulting optimal control profiles $u_1^{*}\left(t\right)$ and $u_2^{*}\left(t\right)$, along with the corresponding state trajectories under optimal control and the minimized $J^{*}$ value, allow for quantitative assessment of intervention strategies by comparing them against scenarios without control based on the chosen cost weights. The implementation follows a three-phase deployment strategy, where Phase 1 covers days 0–5 with rapid response deploying maximum contact reduction $u_1\left(t\right)\approx$ 0.7–0.8 and moderate quarantine enhancement $u_2\left(t\right)\approx$ 0.2–0.3 to prevent initial spread amplification. Phase 2 spans days 5–20 with sustained control using a balanced approach $u_1\left(t\right)\approx$ 0.4–0.6 and $u_2\left(t\right)\approx$ 0.3–0.4 while optimizing resource allocation based on infection trajectory. Phase 3 covers days 20 and beyond with recovery management using reduced contact control $u_1\left(t\right)\approx$ 0.1–0.3 while maintaining quarantine vigilance $u_2\left(t\right)\approx$ 0.2–0.3 and preparing for potential secondary outbreaks.

Algorithm 1 Direct Optimal Control Solver

1: Input: T (time horizon), $N_{int}$ (discretization intervals), initial conditions, model parameters 2: Output: $u_1^{*}\left(t\right)$, $u_2^{*}\left(t\right)$, optimal states, $J^{*}$ 3: Initialize: Discretize time interval $[0,T]$ into $N_{int}=50$ subintervals 4: Set control bounds: $u_1\in [0,0.8]$, $u_2\in [0,0.5]$ 5: Initialize control vectors: $u_{1,init}$, $u_{2,init}$ 6: for each optimization iteration do 7:       Integrate state equations using RK45 method with tolerance $rtol=1\times {10}^{-8}$, $atol=1\times {10}^{-10}$ 8:       Evaluate objective functional J using trapezoidal rule 9:       Include penalty for constraint violations 10:     Compute gradients using finite difference approximation with step size $h=1\times {10}^{-6}$ 11: end for 12: Optimize using SLSQP with maximum iterations 1000 and convergence tolerance $1\times {10}^{-8}$ 13: Validate solution by checking optimality conditions and constraint satisfaction 14: Return optimal controls and trajectories

Figure 9 illustrates the dynamics of the mobile malware model with and without control. The control application significantly reduces both $M_i$ and $M_q$ populations compared to the uncontrolled scenario. The bottom plot highlights the switching behavior of control strategies over time. Optimization metrics such as function value, iterations, and evaluations are summarized in

Table 5. Summary of optimization results.

Metric	Value
Current function value ($J^{*}$)	18,815.0495
Iterations	7
Function evaluations	63
Gradient evaluations	3
Convergence time	2.34 s
Constraint violations	0
Optimality gap	<${10}^{-8}$

.

6.2. Comprehensive Performance Evaluation and Comparative Analysis

The control effectiveness is evaluated through multiple performance metrics comparing the baseline uncontrolled scenario against the optimal control implementation. The peak infected population $M_i$ is reduced from 2634 devices in the uncontrolled case to 1847 devices under optimal control, representing a 29.9% reduction in maximum infection levels. Similarly, the peak quarantined population $M_q$ decreases from 1285 devices to 892 devices, achieving a 30.6% reduction. The total infection duration is shortened from 45.2 days to 32.1 days, representing a 29.0% reduction in outbreak persistence. The area under the $M_i$ curve, which represents the cumulative infection burden, is reduced from 47,850 device-days to 28,420 device-days, achieving a 40.6% reduction in total infection impact. The time to reach peak infection is delayed from 12.8 days to 15.3 days, providing a 19.5% extension that allows for better preparation and response. The recovery time to reach 90% of peak reduction is accelerated from 38.5 days to 25.7 days, representing a 33.2% faster recovery process.

Resource cost analysis reveals significant economic benefits of the optimal control strategy. The contact reduction control cost is calculated as ${\int }_0^T{\displaystyle \frac{B_1}{2}}{u}_1{\left(t\right)}^{2}dt=$ 1247.8, while the quarantine enhancement control cost is ${\int }_0^T{\displaystyle \frac{B_2}{2}}{u}_2{\left(t\right)}^{2}dt=$ 2156.3, yielding a total control implementation cost of 3404.1. The damage cost savings are substantial, with infection damage avoided calculated as $A_1\times \Delta \left(M_i\mathrm{area}\right)=10\times \mathrm{19,430}=\mathrm{194,300}$ and quarantine cost savings as $A_2\times \Delta \left(M_q\mathrm{area}\right)=5 \times$ 8765 = 43,825, resulting in total savings of 238,125. This yields an impressive cost–benefit ratio of 69.9:1, demonstrating the economic viability of the control strategy.

Comparative benchmark analysis against alternative strategies demonstrates the superiority of the optimal control approach. The uncontrolled baseline scenario results in a peak $M_i$ of 2634 devices with a duration of 45.2 days and zero control cost but also zero efficiency. A constant control strategy with $u_1=0.4$ achieves a peak $M_i$ of 2156 devices with 38.7 days in duration and total cost of 4500, yielding an efficiency score of 3.2. Another constant strategy with $u_2=0.25$ produces a peak $M_i$ of 2089 devices with 36.2 days duration and cost of 5625, achieving an efficiency score of 4.1. A periodic control strategy results in a peak $M_i$ of 1978 devices with 34.8 days duration and cost of 6120, providing an efficiency score of 4.7. In contrast, the optimal control strategy achieves the best performance with a peak $M_i$ of 1847 devices, duration of 32.1 days, cost of 3404, and the highest efficiency score of 6.8, where efficiency is calculated as damage reduction divided by control cost multiplied by ${10}^{-3}$.

Sensitivity analysis confirms the robustness of the optimal control strategy under parameter variations. When the infection rate $\mathsf{\Pi }$ varies by ±20%, the optimal control maintains infection reduction between 25–35%, demonstrating stability across different malware virulence levels. Variation in the base quarantine rate ${\theta }_1$ by ±15% results in control effectiveness variations of 12–18%, indicating reasonable sensitivity to quarantine infrastructure capabilities. Cost weight variations of ±50% show that the control strategy adapts while maintaining an efficiency ratio greater than 45:1, confirming economic robustness. The baseline reproduction number $R_0=5.56$ with peak infected population of 2634 devices reveals significant threat levels under standard parameter settings, emphasizing the critical need for proactive response planning and validating the importance of the proposed control framework.

The baseline reproduction number is $R_0=5.56$, with a peak infected population of 2634 devices. The model reveals a significant threat even under standard parameter settings, emphasizing the need for careful response planning.

Figure 10 includes a focused comparison of malware dynamics. The black curve shows the baseline scenario. The red curve reflects a high-infectivity case (doubling $\mathsf{\Pi }$), resulting in a substantial rise in peak infected devices (3518). The green curve simulates effective quarantine by doubling ${\theta }_1$, leading to a notably reduced peak of 1888 and overall better control. This demonstrates that proactive containment measures can outperform the damage caused by increased threat virulence.

Figure 11A shows dynamics of each compartment in the baseline case. Figure 11B includes a histogram of $R_0$ from 1000 Monte Carlo runs, showing an average of $6.09$ with all values above the epidemic threshold. Figure 11C displays sensitivity bar chart indicating that the infection rate $\mathsf{\Pi }$ has the greatest positive influence on peak infections, while increased ${\theta }_1$ most effectively suppresses it. Figure 11D comprises a heatmap of $R_0$ as a function of $\mathsf{\Pi }$ and ${\theta }_1$, illustrating safe and dangerous zones in parameter space, with the baseline marked for reference. Parameter uncertainty simulations show an average $R_0$ of 5.88, with 100% of simulations resulting in $R_0>1$. This confirms the epidemic potential is robust under varied but realistic conditions.

A parametric sweep reveals clear thresholds separating stable and epidemic conditions. As $\mathsf{\Pi }$ increases, a proportionate increase in ${\theta }_1$ is necessary to keep $R_0$ below 1. This map is crucial for identifying effective mitigation regions.

The appendix presents comprehensive quantitative results from our mobile malware propagation analysis (Appendix A).

Table A1. Control effectiveness metric comparison.

Metric	Uncontrolled Scenario	Optimal Control	Improvement
Peak Infected Population ($M_i$)	2634 devices	1847 devices	29.9% reduction
Peak Quarantined Population ($M_q$)	1285 devices	892 devices	30.6% reduction
Total Infection Duration	45.2 days	32.1 days	29.0% reduction
Cumulative Infection Burden	47,850 device-days	28,420 device-days	40.6% reduction
Time to Peak Infection	12.8 days	15.3 days	19.5% extension
Recovery Time (90% peak reduction)	38.5 days	25.7 days	33.2% faster
Basic Reproduction Number ($R_0$)	5.56	0.8	Controlled below threshold

,

Table A2. Cost–benefit analysis of optimal control strategy.

Cost Component	Value
Contact Reduction Control Cost	1247.8
Quarantine Enhancement Control Cost	2156.3
Total Control Implementation Cost	3404.1
Infection Damage Avoided	194,300
Quarantine Cost Savings	43,825
Total Savings	238,125
Cost–Benefit Ratio	69.9:1

,

Table A3. Comparative performance analysis of control strategies.

Strategy	Peak ${\mathit{M}}_{\mathit{i}}$	Duration	Cost	Efficiency Score
Uncontrolled Baseline	2634	45.2 days	0	0
Constant Control ($u_1=0.4$)	2156	38.7 days	4500	3.2
Constant Control ($u_2=0.25$)	2089	36.2 days	5625	4.1
Periodic Control	1978	34.8 days	6120	4.7
Optimal Control	1847	32.1 days	3404	6.8

,

Table A4. Sensitivity analysis of control strategy robustness.

Parameter Variation	Control Effectiveness Range
Infection Rate ($\mathsf{\Pi }$) ±20%	25–35% infection reduction maintained
Base Quarantine Rate (${\theta }_1$) ±15%	12–18% effectiveness variation
Cost Weight Variations ±50%	Efficiency ratio > 45:1 maintained

and

Table A5. Monte Carlo simulation statistical summary.

Statistical Metric	Value
Average $R_0$ from 1000 runs	6.09
Baseline $R_0$	5.88
Simulations with $R_0>1$	100%
Peak infected devices (high infectivity)	3518
Peak infected devices (effective quarantine)	1888

demonstrate the effectiveness of various control strategies, cost–benefit analyses, and sensitivity testing.

6.3. Discussion of Symmetry Properties and Their Implications

The $M_{siqr}$ model’s symmetry properties, visualized in Figure 5, Figure 6, Figure 7 and Figure 8, provide both deep theoretical insights and practical computational advantages. The autonomous system (1) exhibits four fundamental symmetries that enable dimensional reduction while preserving epidemic threshold behavior.

First, time translation invariance ($t\to t+\tau$) generates the conserved quantity $H=\mathbf{n}·\mathbf{f}\left(\mathbf{x}\right)$, where $\nabla H·\mathbf{f}=0$, allowing phase portrait analysis independent of temporal initialization (Figure 5). This reduces computational stiffness by 38% by eliminating explicit time dependence in steady-state calculations.

Second, reflection symmetry about the disease-free equilibrium ${\mathbf{x}}^{*}$ through $\mathcal{R}$:$(M_s,M_i,M_q,M_r)\mapsto (2M_s^{*}-M_s,M_i,M_q,M_r)$ satisfies $\mathbf{f}\left(\mathcal{R}\mathbf{x}\right)\approx -\mathcal{R}\mathbf{f}\left(\mathbf{x}\right)+\mathcal{O}\left({ϵ}^2\right)$. Figure 8 shows mirrored infection trajectories, enabling state space reduction to $\{M_s\ge M_s^{*}\}\times {\mathbb{R}}^3$ and establishing $M_s^{*}=\lambda /{\delta }_1$ as a critical monitoring threshold.

Third, rotational symmetry in the $(M_s,M_i)$ subspace yields the conserved quantity $I_2={(M_s-M_s^{*})}^2+{(M_i-M_i^{*})}^2$. The spiral convergence patterns in Figure 6 demonstrate that specific susceptible–infected ratios matter less than their combined deviation from equilibrium, permitting 2D stability analysis with 47% faster computation.

Fourth, approximate scaling symmetry with generator $X_s=\alpha t{\partial }_t+{\sum }_k{\beta }_k{M}_k{\partial }_{M_k}$ ($\alpha ,{\beta }_k\approx 1.0$) shows network size independence (residual error $\mathcal{O}\left({10}^{-3}\right)$), allowing small-scale simulations to inform large-network predictions (Figure 7).

These symmetries collectively reduce computational complexity from $\mathcal{O}\left(n^{2.8}\right)$ to $\mathcal{O}\left(n^{1.9}\right)$ through

• 62% memory reduction using symmetry-adapted coordinates.
• 3.2× faster Lyapunov exponent calculations.
• 2D bifurcation analysis without losing critical transitions.

The model’s symmetries offer concrete operational advantages for malware defense. Time translation invariance ($t\to t+\tau$) enables security teams to schedule interventions flexibly since propagation dynamics depend only on current device states rather than absolute timing. Reflection symmetry about $M_s^{*}=\lambda /{\delta }_1$ provides a quantifiable early-warning threshold, where networks maintaining $M_s>M_s^{*}$ resist outbreaks naturally, while falling below this value signals imminent risk. The approximate scaling symmetry allows security measures to maintain consistent effectiveness when proportionally applied across different network sizes, enabling reliable small-scale testing before full deployment. Furthermore, rotational invariance ensures system stability against common operational challenges like fluctuating device ratios ($M_s/M_i$) or imperfect security implementations, as captured by the conserved quantity $I_2={(M_s-M_s^{*})}^2+{(M_i-M_i^{*})}^2$.

These properties emerge from fundamental mathematical structures: the autonomous system formulation creates timing flexibility, reflection antisymmetry establishes threshold behavior, dimensional homogeneity enables scaling, and rotational symmetry provides perturbation resistance. By leveraging these inherent symmetries, security architectures can transition from reactive measures to strategically optimized defenses that work in harmony with the underlying propagation dynamics. The translation of these abstract mathematical properties into operational principles demonstrates how theoretical insights can directly inform practical cybersecurity implementations.

7. Model Limitations and Future Directions

The mobile malware propagation model faces one significant limitation that requires attention in future research. Although the model parameters are derived from real-world sources such as documented malware campaigns, antivirus reports, and network statistics, the validation relies entirely on synthetic simulations. The model has not been tested against actual malware propagation datasets from real outbreaks.

This limitation exists because obtaining comprehensive real-world malware propagation data is difficult due to privacy concerns and the distributed nature of mobile networks. The authors acknowledge that their modeling assumptions may overestimate transmission rates by 15–25% and ignore real-world device differences.

Future work should incorporate real-world validation by accessing anonymized malware datasets from security vendors, benchmarking against documented outbreak case studies, and comparing model predictions with observed behaviors in historical malware campaigns. This would strengthen the model’s practical applicability and empirical credibility.

8. Conclusions

This study presented a mathematical model to analyze the spread of Android malware through self-healing botnets under realistic network and behavioral conditions. The model included key compartments such as exposed and quarantined states, along with reinfection and recovery processes. The Lie symmetry analysis revealed structural properties that simplified the system and helped to identify conserved quantities. The numerical simulations showed how transmission rate, quarantine effectiveness, and bot recovery influence malware dynamics. The perturbation analysis highlighted the sensitivity of the system to small changes in infection and quarantine rates, offering insight into stability and outbreak behavior. The sensitivity analysis identified the infection rate as the main factor driving peak infection, while quarantine was the most effective control measure. The Monte Carlo simulations confirmed a high risk of outbreaks across various parameter settings. A full parameter sweep outlined the boundary between epidemic and containment regions, supporting effective response strategies. This work combines dynamical modeling, symmetry, and perturbation techniques to better understand and control mobile malware. Future extensions may include stochastic effects, delays, or validation using real-world data.