Table of Contents
Fetching ...

Better Call Graphs: A New Dataset of Function Call Graphs for Malware Classification

Jakir Hossain, Gurvinder Singh, Lukasz Ziarek, Ahmet Erdem Sarıyüce

TL;DR

This paper targets the limitations of Android function call graph (FCG) datasets for malware classification by introducing Better Call Graphs (BCG), a large, recent, and unique collection of Android FCGs with both benign and malicious samples and accompanying non-graph APK features. The authors outline a rigorous collection and filtering pipeline (data sources, year/size filtering, AVClass-based labeling, static FCG extraction via Androguard, and duplicate removal using six graph properties) to ensure high-quality, non-redundant graphs. They perform extensive baseline evaluations with graph neural networks and APK-level features, revealing that modern classifiers struggle on BCG, in contrast to inflated performance on older datasets due to duplicates and outdated samples. The results underscore the need for new graph-classification methods that generalize to contemporary Android malware and demonstrate that BCG provides a robust, reproducible testbed for future research. The dataset and code are publicly available, fostering transparent evaluation in the malware-analysis community.

Abstract

Function call graphs (FCGs) have emerged as a powerful abstraction for malware detection, capturing the behavioral structure of applications beyond surface-level signatures. Their utility in traditional program analysis has been well established, enabling effective classification and analysis of malicious software. In the mobile domain, especially in the Android ecosystem, FCG-based malware classification is particularly critical due to the platform's widespread adoption and the complex, component-based structure of Android apps. However, progress in this direction is hindered by the lack of large-scale, high-quality Android-specific FCG datasets. Existing datasets are often outdated, dominated by small or redundant graphs resulting from app repackaging, and fail to reflect the diversity of real-world malware. These limitations lead to overfitting and unreliable evaluation of graph-based classification methods. To address this gap, we introduce Better Call Graphs (BCG), a comprehensive dataset of large and unique FCGs extracted from recent Android application packages (APKs). BCG includes both benign and malicious samples spanning various families and types, along with graph-level features for each APK. Through extensive experiments using baseline classifiers, we demonstrate the necessity and value of BCG compared to existing datasets. BCG is publicly available at https://erdemub.github.io/BCG-dataset.

Better Call Graphs: A New Dataset of Function Call Graphs for Malware Classification

TL;DR

This paper targets the limitations of Android function call graph (FCG) datasets for malware classification by introducing Better Call Graphs (BCG), a large, recent, and unique collection of Android FCGs with both benign and malicious samples and accompanying non-graph APK features. The authors outline a rigorous collection and filtering pipeline (data sources, year/size filtering, AVClass-based labeling, static FCG extraction via Androguard, and duplicate removal using six graph properties) to ensure high-quality, non-redundant graphs. They perform extensive baseline evaluations with graph neural networks and APK-level features, revealing that modern classifiers struggle on BCG, in contrast to inflated performance on older datasets due to duplicates and outdated samples. The results underscore the need for new graph-classification methods that generalize to contemporary Android malware and demonstrate that BCG provides a robust, reproducible testbed for future research. The dataset and code are publicly available, fostering transparent evaluation in the malware-analysis community.

Abstract

Function call graphs (FCGs) have emerged as a powerful abstraction for malware detection, capturing the behavioral structure of applications beyond surface-level signatures. Their utility in traditional program analysis has been well established, enabling effective classification and analysis of malicious software. In the mobile domain, especially in the Android ecosystem, FCG-based malware classification is particularly critical due to the platform's widespread adoption and the complex, component-based structure of Android apps. However, progress in this direction is hindered by the lack of large-scale, high-quality Android-specific FCG datasets. Existing datasets are often outdated, dominated by small or redundant graphs resulting from app repackaging, and fail to reflect the diversity of real-world malware. These limitations lead to overfitting and unreliable evaluation of graph-based classification methods. To address this gap, we introduce Better Call Graphs (BCG), a comprehensive dataset of large and unique FCGs extracted from recent Android application packages (APKs). BCG includes both benign and malicious samples spanning various families and types, along with graph-level features for each APK. Through extensive experiments using baseline classifiers, we demonstrate the necessity and value of BCG compared to existing datasets. BCG is publicly available at https://erdemub.github.io/BCG-dataset.
Paper Structure (16 sections, 3 figures, 12 tables)

This paper contains 16 sections, 3 figures, 12 tables.

Figures (3)

  • Figure 1: Construction process of BCG.
  • Figure 2: Temporal distribution of APKs in BCG.
  • Figure 3: Performance comparison across all methods on MalNet-Tiny and CICMalDroid datasets before and after removing the duplicate APKs. Removing duplicates decreases the performance drastically for all methods.