Android Mischief Dataset: network dataset of mobile phones infected with Android Remote Access Trojans
The Android Mischief Dataset is a dataset of network traffic from mobile phones infected with Android RATs. Its goal is to offer the community a dataset to learn and analyze the network behavior of RATs to propose new detections to protect our devices. The dataset consists of 8 packet captures from 8 executed Android RATs. The Android RATs used in the dataset are: - RAT01 - Android Tester v6.4.6 - RAT02 - DroidJack v4.4 - RAT03 - HawkShaw - RAT04 - SpyMAX v2.0 - RAT05 - AndroRAT - RAT06 - Saefko Attack Systems v4.9 - RAT07 - AhMyth - RAT08 - Command-line AndroRAT The dataset contains a folder and its zip for each of the experiments. Each experiment was conducted manually by controlling the attacker and the victim. Considering that, each folder contains the following files: - README.md - the generic description of the execution, containing the name of the executed RAT, details of the RAT execution environment, details of the pcap (client’s IP and server’s IP, time of start of the infection). - APK - APK file generated by the RAT’s attacker program. - Log - very detailed and specific time log of all the actions performed in the client and the server during the experiment. - Pcap - network traffic of the whole infection. - Screenshots - a folder with screenshots of the mobile device and controller while performing malicious actions. - Zeek logs - a folder with Zeek generated logs after running Zeek on a RAT pcap. The zip files are encrypted with the password ‘infected’.
Steps to reproduce
Each README.md of the RAT experiment contains a link to the RAT source code used in the experiment. The source code of the RAT usually includes two programs: RAT controller and RAT builder. RAT controller is the main software to execute commands and control the victim. RAT builder is a program to build RAT malicious APK which infects the phone. Each experiment was run manually, so we set up the attacker machine and the victim machine. For the attacker machine, we mostly used a virtual machine running Windows 7 or Windows 10 with RAT source code installed on it. For the victim machine, we used a physical phone or Genymotion virtual emulator and infected it with RAT APK later. The details of the environment for both machines are specified in the same README.md. The network traffic was captured on the mobile phone and Genymotion Emulator using the Emergency VPN. In the Genymotion emulator, the traffic can also be captured on its network interface using tcpdump. After the environments were set and the capture of the phone network traffic started, first, the benign traffic from the normal applications like Facebook or Twitter was captured; second, the RAT infection was captured. During the experiment, we have executed all RAT malicious actions available. To sum up: 1. Download RAT source code from the link in README.md of each experiment 2. Set up the attacker machine (virtual machine with the RAT source code on it) 3. Set up the victim machine (physical phone with Android OS or Genymotion Emulator) 4. Capture the network traffic on the victim machine before and during the RAT infection (VPN or the network interface of the Genymotion Emulator to capture the traffic)