Android Mischief Dataset: network dataset of mobile phones infected with Android Remote Access Trojans

The Android Mischief Dataset is a dataset of network traffic from mobile phones infected with Android RATs. Its goal is to offer the community a dataset to learn and analyze the network behavior of RATs to propose new detections to protect our devices. The dataset consists of 8 packet captures from 8 executed Android RATs. The Android RATs used in the dataset are: - RAT01 - Android Tester v6.4.6 - RAT02 - DroidJack v4.4 - RAT03 - HawkShaw - RAT04 - SpyMAX v2.0 - RAT05 - AndroRAT - RAT06 - Saefko Attack Systems v4.9 - RAT07 - AhMyth - RAT08 - Command-line AndroRAT The dataset contains a folder and its zip for each of the experiments. Each experiment was conducted manually by controlling the attacker and the victim. Considering that, each folder contains the following files: - README.md - the generic description of the execution, containing the name of the executed RAT, details of the RAT execution environment, details of the pcap (client’s IP and server’s IP, time of start of the infection). - APK - APK file generated by the RAT’s attacker program. - Log - very detailed and specific time log of all the actions performed in the client and the server during the experiment. - Pcap - network traffic of the whole infection. - Screenshots - a folder with screenshots of the mobile device and controller while performing malicious actions. - Zeek logs - a folder with Zeek generated logs after running Zeek on a RAT pcap. The zip files are encrypted with the password ‘infected’.

Android恶意流量数据集（Android Mischief Dataset）是一套针对感染Android远程访问木马（Android RAT）的移动设备网络流量构建的数据集。其核心目标是为科研与开源社区提供专用数据集，用于学习、分析远程访问木马的网络行为，进而提出新型检测方案以保护终端设备安全。 该数据集包含8次实测实验的网络数据包捕获文件，对应8款不同的Android远程访问木马。本次数据集所使用的Android远程访问木马如下： - RAT01 - Android Tester v6.4.6 - RAT02 - DroidJack v4.4 - RAT03 - HawkShaw - RAT04 - SpyMAX v2.0 - RAT05 - AndroRAT - RAT06 - Saefko Attack Systems v4.9 - RAT07 - AhMyth - RAT08 - Command-line AndroRAT 每个实验对应一个专属文件夹及其压缩包。所有实验均通过手动控制攻击端与受害端的方式完成。在此前提下，每个实验文件夹包含以下文件： - README.md：本次实验的通用说明文档，涵盖所使用的远程访问木马名称、实验运行环境细节、数据包捕获文件（pcap）的相关参数（客户端IP、服务端IP、感染启动时间）。 - APK：由远程访问木马攻击端程序生成的APK安装包。 - Log：记录实验期间客户端与服务端所有操作的高精度时序日志。 - Pcap：完整感染过程的网络流量捕获文件。 - Screenshots：存储移动设备与控制器执行恶意操作时屏幕截图的文件夹。 - Zeek logs：在远程访问木马的pcap文件上运行Zeek后生成的日志文件夹。 所有实验压缩包均使用密码"infected"进行加密。