Malware labels


Euphony is a command-line tool we developed to infer a single label per malicious application.

The results are derived from VirusTotal reports. The tool requires Java 1.6+ to be installed.

You can use Euphony to:

  • create a single target class prior to your machine-learning experiments
  • gather knowledge about your dataset, including malware families and other tokens
  • find syntactic and semantic associations between malware labels (e.g. basebridge, basebrid)

Find more information on this GitHub repository:


We created an index of malware labels using Euphony from our set of Android applications.

Find the list of malware labels on this link:

The archive contains Euphony's output and is structured as follow:

  • names/*: information on malware names (e.g. Dogwin)
  • types/* (experimental): information on malware types (e.g. trojan)
  • */proposed.json: mapping between applications and inferred label
  • */election.json: mapping between applications and label frequencies
  • */parse-rules.json: mapping between raw labels and extracted tokens
  • */cluster-rules.json: mapping between extracted and clustered tokens
  • Citation

    If you use Euphony or its labels in a scientific publication, we would appreciate citations to the following paper:

        title={Euphony: harmonious unification of cacophonous anti-virus vendor labels for Android malware},
        author={Hurier, M{\'e}d{\'e}ric and Suarez-Tangil, Guillermo and Dash, Santanu Kumar and Bissyand{\'e}, Tegawend{\'e} F and Traon, Yves Le and Klein, Jacques and Cavallaro, Lorenzo},
        booktitle={Proceedings of the 14th International Conference on Mining Software Repositories},
        organization={IEEE Press}