This study addresses the scarcity of Android malware source code and the high cost of manual labeling, which hinder the construction of high-quality datasets. To overcome these challenges, the authors propose an automated collection framework that leverages README files from GitHub repositories to efficiently identify malware source code based solely on document content. The approach employs character-level TF-IDF features combined with a LinearSVC classifier to distinguish between malicious and benign projects, augmented by a confidence threshold mechanism to flexibly balance coverage and false positive rates. Experimental results demonstrate that the model achieves 96.28% accuracy and a remarkably low false positive rate of 1.06% in local evaluation, significantly enhancing the scalability and practicality of malware code discovery.

Compared with binaries and decompiled code, malware source code more directly reflects the attackers' original intent. However, the scarcity of source code and the high cost of manual review make such datasets difficult to build and maintain. We propose MASCOT-Android, a curated dataset of Android malware source code and an automated collection framework for scalable malware source code discovery on GitHub. A key finding of our work is that repository-level documentation alone provides a strong signal for malware source code collection. Our model extracts character-level TF-IDF features from 8,772 malware and 25,747 benign README documents and trains a LinearSVC classifier to distinguish malware repositories. This README-only model achieves an accuracy of 96.28\% and an FPR of 1.06\% in local evaluation. In addition, the model outputs confidence scores, allowing users to adjust the decision threshold to balance FPR and coverage, which is practical in real-world malware source code collection.