At Trustlook, we monitor live feed from VirusTotal (VT). On ...
At Trustlook, we monitor live feed from VirusTotal (VT). On a daily basis, we collect APK samples from VT along with detection results from Anti-Virus (AV) vendors hosted on VT. Using a conservative labeling policy, we are able to select thousands of benign and malicious APK samples from millions of live feed samples. Then we look at detection results from AV vendors and rate them by how many malware they have detected and how many benign samples they have misclassified.
We generate a CSV file recording the detection results everyday. In the CSV file, from left to right, the columns are MD5 hash of the APK, label where 1 means positive (malicious) and 0 means negative (benign), and one column for each vendor showing its detection results where 1 means positive and 0 means negative.
On a weekly basis, we publish the detection results and zip the CSV files to AWS S3. For this week, you can download the detection data from:
The weekly results are summarized in the table below and here is a simple explanation of the columns in the table:
- Vendor: AV engine vendor
- TPR: True Positive Rate, percentage of positive (malware) samples being correctly classified as positive
- FPR: False Positive Rate, percentage of negative (goodware) samples being misclassified as positive
- TP: True Positive, number of positive (malware) samples being correctly classified as positive
- FP: False Positive, number of negative (goodware) samples being misclassified as positive
- TN: True Negative, number of negative (goodware) samples being correctly classified as negative
- FN: False Negative, number of positive (malware) samples being misclassified as negative
Please send an email to firstname.lastname@example.org if you have any comments. Thanks.