LAMDA: A Longitudinal Android Malware Benchmark for Concept Drift Analysis
Md Ahsanul Haque, Ismail Hossain, Md Mahmuduzzaman Kamol, Md Jahangir Alam, Suresh Kumar Amalapuram, Sajedul Talukder, Mohammad Saidur Rahman
TL;DR
LAMDA tackles the real-world problem of concept drift in Android malware detection by introducing a longitudinal benchmark that spans 2013–2025 (excluding 2015) and encompasses over 1M APKs across 1,380 malware families. It constructs a static-feature representation based on Drebin features, labels data using VirusTotal consensus, and enriches samples with family labels via AVClass2, enabling both binary and multi-class analyses. The paper conducts extensive drift analyses including supervised learning degradation under AnoShift-style splits, feature-space and latent-space stability studies, and SHAP-based explanation drift, while comparing against API Graph to show LAMDA’s stronger drift signals. The contributions provide a robust platform for evaluating concept drift, generalization, explainability, and continual learning in evolving Android malware contexts, with practical implications for building more resilient detectors. LAMDA thus offers a scalable, reproducible resource to study long-term threat evolution, model adaptation, and reliable drift-aware defenses in real-world malware detection settings.
Abstract
Machine learning (ML)-based malware detection systems often fail to account for the dynamic nature of real-world training and test data distributions. In practice, these distributions evolve due to frequent changes in the Android ecosystem, adversarial development of new malware families, and the continuous emergence of both benign and malicious applications. Prior studies have shown that such concept drift -- distributional shifts in benign and malicious samples, leads to significant degradation in detection performance over time. Despite the practical importance of this issue, existing datasets are often outdated and limited in temporal scope, diversity of malware families, and sample scale, making them insufficient for the systematic evaluation of concept drift in malware detection. To address this gap, we present LAMDA, the largest and most temporally diverse Android malware benchmark to date, designed specifically for concept drift analysis. LAMDA spans 12 years (2013-2025, excluding 2015), includes over 1 million samples (approximately 37% labeled as malware), and covers 1,380 malware families and 150,000 singleton samples, reflecting the natural distribution and evolution of real-world Android applications. We empirically demonstrate LAMDA's utility by quantifying the performance degradation of standard ML models over time and analyzing feature stability across years. As the most comprehensive Android malware dataset to date, LAMDA enables in-depth research into temporal drift, generalization, explainability, and evolving detection challenges. The dataset and code are available at: https://iqsec-lab.github.io/LAMDA/.