{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,7]],"date-time":"2026-02-07T10:18:38Z","timestamp":1770459518073,"version":"3.49.0"},"reference-count":154,"publisher":"MDPI AG","issue":"16","license":[{"start":{"date-parts":[[2021,8,23]],"date-time":"2021-08-23T00:00:00Z","timestamp":1629676800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>The increasing number of Android malware forced antivirus (AV) companies to rely on automated classification techniques to determine the family and class of suspicious samples. The research community relies heavily on such labels to carry out prevalence studies of the threat ecosystem and to build datasets that are used to validate and benchmark novel detection and classification methods. In this work, we carry out an extensive study of the Android malware ecosystem by surveying white papers and reports from 6 key players in the industry, as well as 81 papers from 8 top security conferences, to understand how malware datasets are used by both. We, then, explore the limitations associated with the use of available malware classification services, namely VirusTotal (VT) engines, for determining the family of an Android sample. Using a dataset of 2.47 M Android malware samples, we find that the detection coverage of VT\u2019s AVs is generally very low, that the percentage of samples flagged by any 2 AV engines does not go beyond 52%, and that common families between any pair of AV engines is at best 29%. We rely on clustering to determine the extent to which different AV engine pairs agree upon which samples belong to the same family (regardless of the actual family name) and find that there are discrepancies that can introduce noise in automatic label unification schemes. We also observe the usage of generic labels and inconsistencies within the labels of top AV engines, suggesting that their efforts are directed towards accurate detection rather than classification. Our results contribute to a better understanding of the limitations of using Android malware family labels as supplied by common AV engines.<\/jats:p>","DOI":"10.3390\/s21165671","type":"journal-article","created":{"date-parts":[[2021,8,23]],"date-time":"2021-08-23T10:24:17Z","timestamp":1629714257000},"page":"5671","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["An Analysis of Android Malware Classification Services"],"prefix":"10.3390","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0119-0796","authenticated-orcid":false,"given":"Mohammed","family":"Rashed","sequence":"first","affiliation":[{"name":"Computer Science and Engineering Department, Universidad Carlos III de Madrid, Avda. de la Universidad 30, 28911 Legan\u00e9s, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0455-2553","authenticated-orcid":false,"given":"Guillermo","family":"Suarez-Tangil","sequence":"additional","affiliation":[{"name":"IMDEA Networks Institute, Avda. del Mar Mediterraneo, 22, 28918 Leganes, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2021,8,23]]},"reference":[{"key":"ref_1","unstructured":"Curry, D. (2021, June 23). Android Statistics. Available online: https:\/\/www.businessofapps.com\/data\/android-statistics\/."},{"key":"ref_2","unstructured":"Emm, D., and Kaspersky Security Bulletin 2012 (2021, June 23). Malware Evolution. Available online: https:\/\/securelist.com\/kaspersky-security-bulletin-2012-malware-evolution\/36732\/."},{"key":"ref_3","unstructured":"(2021, August 04). Development of New Android Malware Worldwide from June 2016 to March 2020. Available online: https:\/\/www.statista.com\/statistics\/680705\/global-android-malware-volume\/."},{"key":"ref_4","unstructured":"(2021, May 25). Kaspersky Mobile Security Lite Now Available for Free on Android Market. Available online: https:\/\/www.kaspersky.com\/about\/press-releases\/2011_kaspersky-mobile-security-lite-now-available-for-free-on-android-market."},{"key":"ref_5","unstructured":"(2021, May 25). Early Reviews of Avast! Free Mobile Security. Available online: https:\/\/blog.avast.com\/2012\/01\/02\/early-reviews-of-avast-free-mobile-security\/."},{"key":"ref_6","unstructured":"(2021, May 25). Norton Mobile Security for Android 1.5 Beta. Available online: https:\/\/uk.pcmag.com\/antivirus\/21480\/norton-mobile-security-for-android-15-beta."},{"key":"ref_7","unstructured":"(2021, August 09). Machine Learning for Malware Detection. Available online: https:\/\/media.kaspersky.com\/en\/enterprise-security\/Kaspersky-Lab-Whitepaper-Machine-Learning.pdf."},{"key":"ref_8","unstructured":"Gheorghescu, M. (2005, January 5\u20137). An automated virus classification system. Proceedings of the Virus Bulletin Conference, Dublin, Ireland."},{"key":"ref_9","unstructured":"Harley, D. (2007). AVIEN Malware Defense Guide for the Enterprise, Elsevier."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Zhou, Y., and Jiang, X. (2012, January 20\u201323). Dissecting android malware: Characterization and evolution. Proceedings of the 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA.","DOI":"10.1109\/SP.2012.16"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Garcia, J., Hammad, M., and Malek, S. (June, January 27). [Journal First] Lightweight, Obfuscation-Resilient Detection and Family Identification of Android Malware. Proceedings of the 2018 IEEE\/ACM 40th International Conference on Software Engineering (ICSE), Gothenburg, Sweden.","DOI":"10.1145\/3180155.3182551"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., and Siemens, C. (2014, January 23\u201326). Drebin: Effective and Explainable Detection of Android Malware in your Pocket. Proceedings of the NDSS, San Diego, CA, USA.","DOI":"10.14722\/ndss.2014.23247"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Suarez-Tangil, G., Dash, S.K., Ahmadi, M., Kinder, J., Giacinto, G., and Cavallaro, L. (2017, January 22\u201324). Droidsieve: Fast and accurate classification of obfuscated android malware. Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, Scottsdale, AZ, USA.","DOI":"10.1145\/3029806.3029825"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Fan, M., Liu, J., Luo, X., Chen, K., Chen, T., Tian, Z., Zhang, X., Zheng, Q., and Liu, T. (2016, January 23\u201327). Frequent subgraph based familial classification of android malware. Proceedings of the 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE), Ottawa, ON, Canada.","DOI":"10.1109\/ISSRE.2016.14"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Zhang, M., Duan, Y., Yin, H., and Zhao, Z. (2014, January 3\u20137). Semantics-aware android malware classification using weighted contextual api dependency graphs. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA.","DOI":"10.1145\/2660267.2660359"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Andronio, N., Zanero, S., and Maggi, F. (2015). Heldroid: Dissecting and detecting mobile ransomware. International Symposium on Recent Advances in Intrusion Detection, Springer.","DOI":"10.1007\/978-3-319-26362-5_18"},{"key":"ref_17","first-page":"141","article-title":"M0droid: An android behavioral-based malware detection model","volume":"11","author":"Damshenas","year":"2015","journal-title":"J. Inf. Priv. Secur."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Hurier, M., Suarez-Tangil, G., Dash, S.K., Bissyand\u00e9, T.F., Traon, Y.L., Klein, J., and Cavallaro, L. (2017, January 20\u201321). Euphony: Harmonious unification of cacophonous anti-virus vendor labels for Android malware. Proceedings of the 14th International Conference on Mining Software Repositories, Buenos Aires, Argentina.","DOI":"10.1109\/MSR.2017.57"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Dashevskyi, S., Zhauniarovich, Y., Gadyatskaya, O., Pilgun, A., and Ouhssain, H. (2020, January 16\u201318). Dissecting Android Cryptocurrency Miners. Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, New Orleans, LA, USA.","DOI":"10.1145\/3374664.3375724"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1","DOI":"10.13052\/jcsm2245-1439.732","article-title":"Understanding android financial malware attacks: Taxonomy, characterization, and challenges","volume":"7","author":"Kadir","year":"2018","journal-title":"J. Cyber Secur. Mobil."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Duan, Y., Zhang, M., Bhaskar, A.V., Yin, H., Pan, X., Li, T., Wang, X., and Wang, X. (2018, January 18\u201321). Things You May Not Know about Android (Un) Packers: A Systematic Study based on Whole-System Emulation. Proceedings of the NDSS, San Diego, CA, USA.","DOI":"10.14722\/ndss.2018.23296"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Lindorfer, M., Neugschwandtner, M., and Platzer, C. (2015, January 1\u20135). Marvin: Efficient and comprehensive mobile app classification through static and dynamic analysis. Proceedings of the 2015 IEEE 39th Annual Computer Software and Applications Conference, Taichung, Taiwan.","DOI":"10.1109\/COMPSAC.2015.103"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Wang, H., Si, J., Li, H., and Guo, Y. (2019, January 25\u201331). Rmvdroid: Towards a reliable android malware dataset with app metadata. Proceedings of the 2019 IEEE\/ACM 16th International Conference on Mining Software Repositories (MSR), Montreal, QC, Canada.","DOI":"10.1109\/MSR.2019.00067"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Sebasti\u00e1n, M., Rivera, R., Kotzias, P., and Caballero, J. (2016). Avclass: A tool for massive malware labeling. International Symposium on Research in Attacks, Intrusions, and Defenses, Springer.","DOI":"10.1007\/978-3-319-45719-2_11"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"102287","DOI":"10.1016\/j.cose.2021.102287","article-title":"Challenges and Pitfalls in Malware Research","volume":"106","author":"Botacin","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Perdisci, R., and ManChon, U. (2012, January 3\u20137). VAMO: Towards a fully automated malware clustering validity analysis. Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA.","DOI":"10.1145\/2420950.2420999"},{"key":"ref_27","unstructured":"Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., and Kirda, E. (2009, January 8\u201311). Scalable, Behavior-Based Malware Clustering. Proceedings of the NDSS, San Diego, CA, USA."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Sebasti\u00e1n, S., and Caballero, J. (2020, January 7\u201311). AVclass2: Massive Malware Tag Extraction from AV Labels. Proceedings of the Annual Computer Security Applications Conference, Austin, TX, USA.","DOI":"10.1145\/3427228.3427261"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"639","DOI":"10.3233\/JCS-2010-0410","article-title":"Automatic analysis of malware behavior using machine learning","volume":"19","author":"Rieck","year":"2011","journal-title":"J. Comput. Secur."},{"key":"ref_30","unstructured":"IBM Cloud Education (2021, August 04). Unsupervised Learning. Available online: https:\/\/www.ibm.com\/cloud\/learn\/unsupervised-learning."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., and Nazario, J. (2007). Automated classification and analysis of internet malware. International Workshop on Recent Advances in Intrusion Detection, Springer.","DOI":"10.1007\/978-3-540-74320-0_10"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"233","DOI":"10.1007\/s11416-011-0151-y","article-title":"Malware classification based on call graph clustering","volume":"7","author":"Kinable","year":"2011","journal-title":"J. Comput. Virol."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Ahmadi, M., Ulyanov, D., Semenov, S., Trofimov, M., and Giacinto, G. (2016, January 9\u201311). Novel feature extraction, selection and fusion for effective malware family classification. Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, New Orleans, LA, USA.","DOI":"10.1145\/2857705.2857713"},{"key":"ref_34","unstructured":"Ronen, R., Radu, M., Feuerstein, C., Yom-Tov, E., and Ahmadi, M. (2018). Microsoft malware classification challenge. arXiv."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Kolosnjaji, B., Zarras, A., Webster, G., and Eckert, C. (2016). Deep learning for classification of malware system call sequences. Australasian Joint Conference on Artificial Intelligence, Springer.","DOI":"10.1007\/978-3-319-50127-7_11"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Kalash, M., Rochan, M., Mohammed, N., Bruce, N.D., Wang, Y., and Iqbal, F. (2018, January 26\u201328). Malware classification with deep convolutional neural networks. Proceedings of the 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Paris, France.","DOI":"10.1109\/NTMS.2018.8328749"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Hu, X., Chiueh, T.c., and Shin, K.G. (2009, January 9\u20133). Large-scale malware indexing using function-call graphs. Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA.","DOI":"10.1145\/1653662.1653736"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Nataraj, L., Karthikeyan, S., Jacob, G., and Manjunath, B.S. (2011, January 20). Malware images: Visualization and automatic classification. Proceedings of the 8th International Symposium on Visualization for Cyber Security, Pittsburgh, PA, USA.","DOI":"10.1145\/2016904.2016908"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Tian, R., Batten, L., Islam, R., and Versteeg, S. (2009, January 13\u201314). An automated classification system based on the strings of trojan and virus families. Proceedings of the 2009 4th International conference on malicious and unwanted software (MALWARE), Montreal, QC, Canada.","DOI":"10.1109\/MALWARE.2009.5403021"},{"key":"ref_40","unstructured":"IDA Pro (2021, June 23). A Powerful Disassembler and a Versatile Debugger. Available online: https:\/\/hex-rays.com\/ida-pro\/."},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Deshotels, L., Notani, V., and Lakhotia, A. (2014, January 22\u201324). Droidlegacy: Automated familial classification of android malware. Proceedings of the ACM SIGPLAN on Program Protection and Reverse Engineering Workshop, San Diego, CA, USA.","DOI":"10.1145\/2556464.2556467"},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"1104","DOI":"10.1016\/j.eswa.2013.07.106","article-title":"Dendroid: A text mining approach to analyzing and classifying code structures in android malware families","volume":"41","author":"Tapiador","year":"2014","journal-title":"Expert Syst. Appl."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Dash, S.K., Suarez-Tangil, G., Khan, S., Tam, K., Ahmadi, M., Kinder, J., and Cavallaro, L. (2016, January 22). Droidscribe: Classifying android malware based on runtime behavior. Proceedings of the 2016 IEEE Security and Privacy Workshops (SPW), San Jose, CA, USA.","DOI":"10.1109\/SPW.2016.25"},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"262","DOI":"10.1109\/TDSC.2017.2739145","article-title":"EC2: Ensemble clustering and classification for predicting android malware families","volume":"17","author":"Chakraborty","year":"2017","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_45","unstructured":"(2020, May 06). Androguard. Available online: https:\/\/github.com\/androguard\/androguard."},{"key":"ref_46","unstructured":"(2020, May 06). Apktool. Available online: https:\/\/ibotpeaches.github.io\/Apktool\/."},{"key":"ref_47","unstructured":"Lantz, P. (2019, November 19). Dynamic Analysis of Android Apps. Available online: https:\/\/github.com\/pjlantz\/droidbox."},{"key":"ref_48","unstructured":"(2019, November 19). Cuckoo Automated Malware Analysis. Available online: https:\/\/cuckoosandbox.org\/."},{"key":"ref_49","unstructured":"(2021, May 25). Kaspersky Scan Engine Detection Technologies. Available online: https:\/\/support.kaspersky.com\/ScanEngine\/1.0\/en-US\/179821.htm."},{"key":"ref_50","unstructured":"(2021, May 25). What are Signatures and How Does Signature-Based Detection Work?. Available online: https:\/\/home.sophos.com\/en-us\/security-news\/2020\/what-is-a-signature.aspx."},{"key":"ref_51","unstructured":"(2021, August 08). What is Heuristic Analysis?. Available online: https:\/\/usa.kaspersky.com\/resource-center\/definitions\/heuristic-analysis."},{"key":"ref_52","unstructured":"Chistyakov, A., and Andreev, A. (2021, February 22). AI Under Attack: How to Secure Machine Learning in Security Systems; Technical Report; Kaspersky Threat Research. Available online: https:\/\/media.kaspersky.com\/en\/business-security\/enterprise\/machine-learning-cybersecurity-whitepaper.pdf."},{"key":"ref_53","unstructured":"(2021, February 22). Machine Learning in Cybersecurity. Available online: https:\/\/www.kaspersky.com\/enterprise-security\/wiki-section\/products\/machine-learning-in-cybersecurity."},{"key":"ref_54","unstructured":"(2021, February 22). What Is a Honeypot?. Available online: https:\/\/www.kaspersky.com\/resource-center\/threats\/what-is-a-honeypot."},{"key":"ref_55","unstructured":"(2021, February 22). Cyber Threat Alliance. Available online: https:\/\/cyberthreatalliance.org\/."},{"key":"ref_56","unstructured":"(2021, February 14). List of Consumer AV Vendors (PC). Available online: https:\/\/www.av-comparatives.org\/list-of-consumer-av-vendors-pc\/."},{"key":"ref_57","doi-asserted-by":"crossref","unstructured":"Johnston, J.R. (2008). Technological Turf Wars: A Case Study of the Computer Antivirus Industry, Temple University Press.","DOI":"10.2307\/j.ctt14btfb4"},{"key":"ref_58","unstructured":"(2021, February 22). Aviews. Available online: http:\/\/web.archive.org\/web\/20080511191350\/http:\/\/www.aviews.net\/."},{"key":"ref_59","unstructured":"(2021, February 22). About ASC. Available online: https:\/\/web.archive.org\/web\/20120624014952\/http:\/\/www.antispywarecoalition.org\/documents\/index.htm."},{"key":"ref_60","unstructured":"Broadcom Inc (2021, August 05). 2016 Internet Security Threat Report. Available online: https:\/\/docs.broadcom.com\/doc\/istr-21-2016-en."},{"key":"ref_61","unstructured":"(2021, August 05). Internet Security Threat Report; Volume 22. Available online: https:\/\/docs.broadcom.com\/doc\/istr-22-2017-en."},{"key":"ref_62","unstructured":"(2021, August 05). Internet Security Threat Report; Volume 23. Available online: https:\/\/docs.broadcom.com\/doc\/istr-23-2018-en."},{"key":"ref_63","unstructured":"(2021, August 05). Internet Security Threat Report; Volume 24. Available online: https:\/\/docs.broadcom.com\/doc\/istr-24-2019-en."},{"key":"ref_64","unstructured":"(2021, August 05). Motive Security Labs Malware Report\u2014H2 2014. Available online: http:\/\/www.alcatel-lucent.com\/press\/2015\/alcatel-lucent-report-malware-2014-sees-rise-device-and-network-attacks-place-personal-and-workplace."},{"key":"ref_65","unstructured":"(2021, August 05). Nokia Threat Intelligence Report\u2014H2 2015. Available online: http:\/\/resources.alcatel-lucent.com\/asset\/193174."},{"key":"ref_66","unstructured":"(2021, August 05). Motive Security Labs Malware Report\u2014H1 2015. Available online: http:\/\/https\/\/www.alcatel-lucent.com\/press\/2015\/alcatel-lucent-malware-report-shows-significant-rise-mobile-infections-pcs-and-adware-first-six."},{"key":"ref_67","unstructured":"(2021, August 05). Nokia Threat Intelligence Report\u2014H1 2016. Available online: https:\/\/onestore.nokia.com\/asset\/200492?_ga=2.143738807.324392894.1628194291-917306451.1628194291."},{"key":"ref_68","unstructured":"(2021, August 05). Nokia Threat Intelligence Report\u2014H2 2016. Available online: https:\/\/onestore.nokia.com\/asset\/201094?_ga=2.147017525.324392894.1628194291-917306451.1628194291."},{"key":"ref_69","unstructured":"(2021, August 05). Nokia Threat Intelligence Report 2017. Available online: https:\/\/onestore.nokia.com\/asset\/201621?_ga=2.144314295.324392894.1628194291-917306451.1628194291."},{"key":"ref_70","unstructured":"(2021, August 05). Nokia Threat Intelligence Report 2019. Available online: https:\/\/onestore.nokia.com\/asset\/205835?_ga=2.180503333.324392894.1628194291-917306451.1628194291."},{"key":"ref_71","unstructured":"(2021, August 05). Nokia Threat Intelligence Report 2020. Available online: https:\/\/pages.nokia.com\/T005JU-Threat-Intelligence-Report-2020.html?_ga=2.215575189.324392894.1628194291-917306451.1628194291."},{"key":"ref_72","unstructured":"(2021, August 06). Sophos Security Threat Report 2014. Available online: http:\/\/www.sophos.com\/en-us\/medialibrary\/pdfs\/other\/sophos-security-threat-report-2014.pdf."},{"key":"ref_73","unstructured":"(2021, August 06). SophosLabs Looking Ahead: SophosLabs 2017 Malware Forecast. Available online: https:\/\/www.sophos.com\/en-us\/medialibrary\/PDFs\/technical-papers\/sophoslabs-2017-malware-forecast-report.pdf."},{"key":"ref_74","unstructured":"(2021, August 06). SophosLabs 2018 Malware Forecast. Available online: https:\/\/www.sophos.com\/en-us\/medialibrary\/PDFs\/technical-papers\/malware-forecast-2018.pdf."},{"key":"ref_75","unstructured":"Kaspersky Security Bulletin 2012 (2021, August 06). The Overall Statistics for 2012. Available online: https:\/\/securelist.com\/kaspersky-security-bulletin-2012-the-overall-statistics-for-2012\/36703\/#1."},{"key":"ref_76","unstructured":"Kaspersky Security Bulletin 2014 (2021, August 06). Overall Statistics for 2014. Available online: https:\/\/securelist.com\/kaspersky-security-bulletin-2014-overall-statistics-for-2014\/68010\/."},{"key":"ref_77","unstructured":"(2021, August 06). Mobile Malware Evolution 2015. Available online: https:\/\/securelist.com\/mobile-malware-evolution-2015\/73839\/."},{"key":"ref_78","unstructured":"(2021, August 06). Mobile Malware Evolution 2016. Available online: https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2018\/03\/07180734\/Mobile_report_2016.pdf."},{"key":"ref_79","unstructured":"(2021, August 06). Mobile Malware Evolution 2017. Available online: https:\/\/securelist.com\/mobile-malware-review-2017\/84139\/."},{"key":"ref_80","unstructured":"(2021, August 06). Mobile Malware Evolution 2018. Available online: https:\/\/securelist.com\/mobile-malware-evolution-2018\/89689\/."},{"key":"ref_81","unstructured":"(2021, August 06). Mobile Malware Evolution 2019. Available online: https:\/\/securelist.com\/mobile-malware-evolution-2019\/96280\/."},{"key":"ref_82","unstructured":"(2021, August 06). Mobile Malware Evolution 2020. Available online: https:\/\/securelist.com\/mobile-malware-evolution-2020\/101029\/."},{"key":"ref_83","unstructured":"(2021, August 06). H1 2016 Global and Regional Trends of the \u2018Most Wanted\u2019 Malware. Available online: https:\/\/blog.checkpoint.com\/wp-content\/uploads\/2016\/10\/H1_Malware_Report_161028v2.pdf."},{"key":"ref_84","unstructured":"(2021, August 06). Check Point Research\u2019s 2017 Global Cyber Attack Trends Report. Available online: https:\/\/www.checkpoint.com\/downloads\/product-related\/infographic\/H2_2017_Global_Cyber_Attack_Trends_Report.pdf."},{"key":"ref_85","unstructured":"(2021, August 06). Check Point Research\u2019s Cyber Attack Trends Analysis: Key Insights to Gear up for in 2019. Available online: https:\/\/www.checkpointdirect.co.uk\/media\/downloads\/check-point-2019-security-report-volume-1.pdf."},{"key":"ref_86","unstructured":"(2021, August 06). Check Point Research\u2019s 2020 Cyber Security Report. Available online: https:\/\/www.checkpoint.com\/downloads\/resources\/cyber-security-report-2020.pdf."},{"key":"ref_87","unstructured":"(2021, August 06). Android Security 2016 Year In Review. Available online: https:\/\/source.android.com\/security\/reports\/Google_Android_Security_2016_Report_Final.pdf."},{"key":"ref_88","unstructured":"(2021, August 06). Android Security 2017 Year In Review. Available online: https:\/\/source.android.com\/security\/reports\/Google_Android_Security_2017_Report_Final.pdf."},{"key":"ref_89","unstructured":"(2021, August 06). Android Security 2018 Year In Review. Available online: https:\/\/source.android.com\/security\/reports\/Google_Android_Security_2018_Report_Final.pdf."},{"key":"ref_90","unstructured":"(2020, January 14). Contagio Mobile Malware Mini Dump. Available online: https:\/\/contagiominidump.blogspot.com\/."},{"key":"ref_91","unstructured":"(2019, September 11). VirusShare. Available online: https:\/\/virusshare.com\/."},{"key":"ref_92","unstructured":"(2019, September 11). VirusTotal. Available online: https:\/\/www.virustotal.com\/gui\/home\/upload."},{"key":"ref_93","unstructured":"(2021, February 10). DroidBench. Available online: https:\/\/github.com\/secure-software-engineering\/DroidBench."},{"key":"ref_94","doi-asserted-by":"crossref","unstructured":"Wei, F., Li, Y., Roy, S., Ou, X., and Zhou, W. (2017). Deep ground truth analysis of current android malware. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer.","DOI":"10.1007\/978-3-319-60876-1_12"},{"key":"ref_95","unstructured":"(2020, November 10). SandDroid. Available online: http:\/\/sanddroid.xjtu.edu.cn:8080\/."},{"key":"ref_96","doi-asserted-by":"crossref","unstructured":"Allix, K., Bissyand\u00e9, T.F., Klein, J., and Le Traon, Y. (2016, January 4\u201315). Androzoo: Collecting millions of android apps for the research community. Proceedings of the 2016 IEEE\/ACM 13th Working Conference on Mining Software Repositories (MSR), Austin, TX, USA.","DOI":"10.1145\/2901739.2903508"},{"key":"ref_97","unstructured":"(2020, January 14). Google Play. Available online: https:\/\/play.google.com\/store."},{"key":"ref_98","doi-asserted-by":"crossref","unstructured":"Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., and Platzer, C. (2014, January 11). Andrubis\u20131,000,000 apps later: A view on current Android malware behaviors. Proceedings of the 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), Wroclaw, Poland.","DOI":"10.1109\/BADGERS.2014.7"},{"key":"ref_99","unstructured":"(2021, February 10). DARPA APAC Program. Available online: https:\/\/www.darpa.mil\/program\/automated-program-analysis-for-cybersecurity."},{"key":"ref_100","unstructured":"(2021, February 11). 7723 Market. Available online: https:\/\/goo.gl\/iMi4Bo."},{"key":"ref_101","unstructured":"(2021, February 11). Android Life. Available online: https:\/\/goo.gl\/hAov2G."},{"key":"ref_102","unstructured":"(2021, February 11). Eoemarket. Available online: https:\/\/goo.gl\/FB0ykP."},{"key":"ref_103","unstructured":"(2021, February 11). Mobomarket. Available online: https:\/\/goo.gl\/tzpjY7."},{"key":"ref_104","unstructured":"Wong, M.Y., and Lie, D. (2018, January 15\u201317). Tackling runtime-based obfuscation in Android with {TIRO}. Proceedings of the 27th {USENIX} Security Symposium ({USENIX} Security 18), Baltimore, MD, USA."},{"key":"ref_105","unstructured":"(2021, February 10). android_run_root_shell. Available online: https:\/\/github.com\/android-rooting-tools\/android_run_root_shell."},{"key":"ref_106","unstructured":"(2021, February 10). CVE-2012-6422. Available online: https:\/\/github.com\/dongmu\/vulnerability-poc\/tree\/master\/CVE-2012-6422."},{"key":"ref_107","unstructured":"(2021, February 10). CVE-2014-3153. Available online: https:\/\/github.com\/timwr\/CVE-2014-3153."},{"key":"ref_108","unstructured":"(2021, February 10). Root-Zte-Open. Available online: https:\/\/github.com\/poliva\/root-zte-open."},{"key":"ref_109","unstructured":"(2021, February 10). CVE-2015-3636. Available online: https:\/\/github.com\/fi01\/CVE-2015-3636."},{"key":"ref_110","unstructured":"(2021, February 10). AndroTotal. Available online: http:\/\/andrototal.org\/."},{"key":"ref_111","doi-asserted-by":"crossref","unstructured":"Lindorfer, M., Volanis, S., Sisto, A., Neugschwandtner, M., Athanasopoulos, E., Maggi, F., Platzer, C., Zanero, S., and Ioannidis, S. (2014). AndRadar: Fast discovery of android applications in alternative markets. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer.","DOI":"10.1007\/978-3-319-08509-8_4"},{"key":"ref_112","doi-asserted-by":"crossref","unstructured":"Lashkari, A.H., Kadir, A.F.A., Taheri, L., and Ghorbani, A.A. (2018, January 22\u201325). Toward developing a systematic approach to generate benchmark android malware datasets and classification. Proceedings of the 2018 International Carnahan Conference on Security Technology (ICCST), Montreal, QC, Canada.","DOI":"10.1109\/CCST.2018.8585560"},{"key":"ref_113","doi-asserted-by":"crossref","unstructured":"Wang, H., Liu, Z., Liang, J., Vallina-Rodriguez, N., Guo, Y., Li, L., Tapiador, J., Cao, J., and Xu, G. (November, January 31). Beyond google play: A large-scale comparative study of chinese android app markets. Proceedings of the Internet Measurement Conference 2018, Boston, MA, USA.","DOI":"10.1145\/3278532.3278558"},{"key":"ref_114","doi-asserted-by":"crossref","unstructured":"Kotzias, P., Caballero, J., and Bilge, L. (2020). How Did That Get In My Phone? Unwanted App Distribution on Android Devices. arXiv.","DOI":"10.1109\/SP40001.2021.00041"},{"key":"ref_115","doi-asserted-by":"crossref","unstructured":"Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., and Hoffmann, J. (2013, January 18\u201322). Mobile-sandbox: Having a deeper look into android applications. Proceedings of the 28th Annual ACM Symposium on Applied Computing, Coimbra, Portugal.","DOI":"10.1145\/2480362.2480701"},{"key":"ref_116","unstructured":"(2021, February 10). MobiSec Lab Website. Available online: http:\/\/www.mobiseclab.org\/."},{"key":"ref_117","unstructured":"(2021, February 10). Hacking Team Spying Tool Listens to Calls. Available online: https:\/\/www.trendmicro.com\/en_us\/research\/15\/g\/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in.html."},{"key":"ref_118","unstructured":"(2021, February 10). android-malware. Available online: https:\/\/github.com\/ashishb\/android-malware."},{"key":"ref_119","doi-asserted-by":"crossref","unstructured":"Canfora, G., Mercaldo, F., Moriano, G., and Visaggio, C.A. (2015, January 24\u201327). Composition-malware: Building android malware at run time. Proceedings of the 2015 10th International Conference on Availability, Reliability and Security, Toulouse, France.","DOI":"10.1109\/ARES.2015.64"},{"key":"ref_120","doi-asserted-by":"crossref","unstructured":"Mirsky, Y., Shabtai, A., Rokach, L., Shapira, B., and Elovici, Y. (2016, January 24\u201328). Sherlock vs moriarty: A smartphone dataset for cybersecurity research. Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, Vienna, Austria.","DOI":"10.1145\/2996758.2996764"},{"key":"ref_121","unstructured":"(2021, February 11). Arbor Networks. Available online: https:\/\/www.netscout.com\/arbor-ddos."},{"key":"ref_122","unstructured":"(2021, February 11). Trend Micro. Available online: https:\/\/trendmicro.com\/."},{"key":"ref_123","unstructured":"(2021, February 11). McAfee. Available online: https:\/\/mcafee.com\/."},{"key":"ref_124","unstructured":"(2021, February 11). Comodo Cybersecurity. Available online: https:\/\/comodo.com\/."},{"key":"ref_125","unstructured":"(2021, February 11). Antiy Labs. Available online: https:\/\/antiy.net\/."},{"key":"ref_126","unstructured":"(2021, February 11). Symantec. Available online: https:\/\/broadcom.com\/."},{"key":"ref_127","doi-asserted-by":"crossref","unstructured":"Wei, F., Lin, X., Ou, X., Chen, T., and Zhang, X. (2018, January 15\u201319). Jn-saf: Precise and efficient ndk\/jni-aware inter-language static analysis framework for security vetting of android applications with native code. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, ON, Canada.","DOI":"10.1145\/3243734.3243835"},{"key":"ref_128","doi-asserted-by":"crossref","unstructured":"Felt, A.P., Finifter, M., Chin, E., Hanna, S., and Wagner, D. (2011, January 17). A survey of mobile malware in the wild. Proceedings of the 1st ACM workshop on Security and Privacy in Smartphones and Mobile Devices, Chicago, IL, USA.","DOI":"10.1145\/2046614.2046618"},{"key":"ref_129","unstructured":"Hoffmann, J., Neumann, S., and Holz, T. Mobile malware detection based on energy fingerprints\u2014A dead end?. Proceedings of the International Workshop on Recent Advances in Intrusion Detection."},{"key":"ref_130","doi-asserted-by":"crossref","unstructured":"Mutti, S., Fratantonio, Y., Bianchi, A., Invernizzi, L., Corbetta, J., Kirat, D., Kruegel, C., and Vigna, G. (2015, January 7\u201311). Baredroid: Large-scale analysis of android apps on real devices. Proceedings of the 31st Annual Computer Security Applications Conference, Los Angeles, CA, USA.","DOI":"10.1145\/2818000.2818036"},{"key":"ref_131","doi-asserted-by":"crossref","unstructured":"Mulliner, C., Oberheide, J., Robertson, W., and Kirda, E. (2013, January 9\u201313). Patchdroid: Scalable third-party security patches for android devices. Proceedings of the 29th Annual Computer Security Applications Conference, New Orleans, LA, USA.","DOI":"10.1145\/2523649.2523679"},{"key":"ref_132","doi-asserted-by":"crossref","unstructured":"Nadji, Y., Giffin, J., and Traynor, P. (2011, January 5\u20139). Automated remote repair for mobile malware. Proceedings of the 27th Annual Computer Security Applications Conference, Orlando, FL, USA.","DOI":"10.1145\/2076732.2076791"},{"key":"ref_133","unstructured":"Yuan, L.P., Hu, W., Yu, T., Liu, P., and Zhu, S. (2019, January 23\u201325). Towards large-scale hunting for Android negative-day malware. Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019), Beijing, China."},{"key":"ref_134","unstructured":"Chen, K.Z., Johnson, N.M., D\u2019Silva, V., Dai, S., MacNamara, K., Magrino, T.R., Wu, E.X., Rinard, M., and Song, D.X. (2013, January 24\u201327). Contextual Policy Enforcement in Android Applications with Permission Event Graphs. Proceedings of the NDSS, San Diego, CA, USA."},{"key":"ref_135","doi-asserted-by":"crossref","unstructured":"Wu, C., Zhou, Y., Patel, K., Liang, Z., and Jiang, X. (2014, January 23\u201326). AirBag: Boosting Smartphone Resistance to Malware Infection. Proceedings of the NDSS, San Diego, CA, USA.","DOI":"10.14722\/ndss.2014.23164"},{"key":"ref_136","doi-asserted-by":"crossref","unstructured":"Zhang, X., Zhang, Y., Zhong, M., Ding, D., Cao, Y., Zhang, Y., Zhang, M., and Yang, M. (2020, January 9\u201313). Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event.","DOI":"10.1145\/3372297.3417291"},{"key":"ref_137","unstructured":"(2021, March 10). OTX AlienVault. Available online: https:\/\/otx.alienvault.com\/."},{"key":"ref_138","unstructured":"Amit, I., Matherly, J., Hewlett, W., Xu, Z., Meshi, Y., and Weinberger, Y. (2018). Machine learning in cyber-security-problems, challenges and data sets. arXiv."},{"key":"ref_139","unstructured":"Salem, A., Banescu, S., and Pretschner, A. (2020). Maat: Automatically Analyzing VirusTotal for Accurate Labeling and Effective Malware Detection. arXiv."},{"key":"ref_140","unstructured":"Zhu, S., Shi, J., Yang, L., Qin, B., Zhang, Z., Song, L., and Wang, G. (2020, January 12\u201314). Measuring and modeling the label dynamics of online anti-malware engines. Proceedings of the 29th {USENIX} Security Symposium ({USENIX} Security 20), Virtual Event."},{"key":"ref_141","unstructured":"(2021, February 22). A New Virus Naming Convention. Available online: http:\/\/www.caro.org\/articles\/naming.html."},{"key":"ref_142","unstructured":"(2021, June 23). Malware Family Naming Hell is Our Own Fault. Available online: https:\/\/www.gdatasoftware.com\/blog\/malware-family-naming-hell."},{"key":"ref_143","unstructured":"(2021, June 12). Malware Names. Available online: https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/intelligence\/malware-naming."},{"key":"ref_144","unstructured":"Suarez-Tangil, G., and Stringhini, G. (2020). Eight Years of Rider Measurement in the Android Malware Ecosystem. IEEE Trans. Dependable Secur. Comput."},{"key":"ref_145","unstructured":"(2021, February 22). Trojan:AndroidOS\/Fakeplayer.B. Available online: https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan%3AAndroidOS%2FFakeplayer.B."},{"key":"ref_146","unstructured":"(2021, February 22). Trojan:AndroidOS\/Fakebrows.A. Available online: https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:AndroidOS\/Fakebrows.A."},{"key":"ref_147","doi-asserted-by":"crossref","unstructured":"Miller, B., Kantchelian, A., Tschantz, M.C., Afroz, S., Bachwani, R., Faizullabhoy, R., Huang, L., Shankar, V., Wu, T., and Yiu, G. (2016, January 7\u20138). Reviewer integration and performance measurement for malware detection. Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, San Sebastian, Spain.","DOI":"10.1007\/978-3-319-40667-1_7"},{"key":"ref_148","doi-asserted-by":"crossref","unstructured":"Kantchelian, A., Tschantz, M.C., Afroz, S., Miller, B., Shankar, V., Bachwani, R., Joseph, A.D., and Tygar, J.D. (2015, January 12\u201316). Better malware ground truth: Techniques for weighting anti-virus vendor labels. Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security, Denver, CO, USA.","DOI":"10.1145\/2808769.2808780"},{"key":"ref_149","doi-asserted-by":"crossref","first-page":"846","DOI":"10.1080\/01621459.1971.10482356","article-title":"Objective criteria for the evaluation of clustering methods","volume":"66","author":"Rand","year":"1971","journal-title":"J. Am. Stat. Assoc."},{"key":"ref_150","unstructured":"Warrens, M.J., and van der Hoef, H. (2019). Understanding partition comparison indices based on counting object pairs. arXiv."},{"key":"ref_151","unstructured":"(2021, April 04). App Defense Alliance. Available online: https:\/\/developers.google.com\/android\/play-protect\/app-defense-alliance\/."},{"key":"ref_152","doi-asserted-by":"crossref","unstructured":"Maggi, F., Bellini, A., Salvaneschi, G., and Zanero, S. (2011, January 15\u201319). Finding non-trivial malware naming inconsistencies. Proceedings of the International Conference on Information Systems Security, Kolkata, India.","DOI":"10.1007\/978-3-642-25560-1_10"},{"key":"ref_153","doi-asserted-by":"crossref","first-page":"3401","DOI":"10.1109\/TIFS.2019.2947861","article-title":"Familial clustering for weakly-labeled android malware using hybrid representation learning","volume":"15","author":"Zhang","year":"2019","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_154","doi-asserted-by":"crossref","unstructured":"Pirch, L., Warnecke, A., Wressnegger, C., and Rieck, K. (2021, January 26). TagVet: Vetting Malware Tags using Explainable Machine Learning. Proceedings of the 14th European Workshop on Systems Security 2021, Online.","DOI":"10.1145\/3447852.3458719"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/16\/5671\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T06:49:44Z","timestamp":1760165384000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/16\/5671"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,8,23]]},"references-count":154,"journal-issue":{"issue":"16","published-online":{"date-parts":[[2021,8]]}},"alternative-id":["s21165671"],"URL":"https:\/\/doi.org\/10.3390\/s21165671","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,8,23]]}}}