MH-1M: A 1.34 Million-Sample Comprehensive Multi-Feature Android Malware Dataset for Machine Learning, Deep Learning, Large Language Models, and Threat Intelligence Research

Abstract

We present MH-1M, one of the most comprehensive and up-to-date datasets for advanced Android malware research. The dataset comprises 1,340,515 applications, encompassing a wide range of features and extensive metadata. To ensure accurate malware classification, we employ the VirusTotal API, integrating multiple detection engines for comprehensive and reliable assessment. Our GitHub, Figshare, and Harvard Dataverse repositories provide open access to the processed dataset and its extensive supplementary metadata, totaling more than 400 GB of data and including the outputs of the feature extraction pipeline as well as the corresponding VirusTotal reports. Our findings underscore the MH-1M dataset's invaluable role in understanding the evolving landscape of malware.

Figures (7)

• Figure 1: The overview of the AMGenerator tool, comprising acquisition, extraction, and labeling modules. The acquisition module retrieves APK files, the extraction module analyzes their features, and the labeling module assigns malware labels based on VirusTotal metadata.
• Figure 2: The process of obtaining and updating APK labels using VirusTotal metadata. If an APK was recently analyzed, metadata is retrieved directly; otherwise, a reanalysis request is submitted, ensuring up-to-date classification.
• Figure 3: The AMExplorer tool aggregates and organizes metadata and feature sets extracted by AMGenerator. It generates three datasets: metadata, discrete, and binary, facilitating malware analysis and classification.
• Figure 4: Confusion matrix results for XGBoot classifier.
• Figure 5: Confusion matrix results for XGBoost classifier in cross classification.