DroidRan: A Hardware Behavior Dataset for Android Ransomware Threats

About the dataset This dataset contains 22 hardware-level features collected from an Android smartphone after exposure to 12 ransomware families. The ransomware samples are delivered through three squatting-based cyberattack vectors: GUI squatting (e.g., watering-hole style deception), app squatting (e.g., trojanized/impersonated apps using cross-site scripting–style deception), and email squatting (e.g., phishing-based delivery). In addition, the dataset provides a structured mapping of hardware-feature variations across ransomware lifecycle stages aligned with the MITRE ATT&CK Mobile (Android) matrix, covering Initial Access, Privilege Escalation, Command and Control, and Impact. To the best of our knowledge, this is the first dataset that systematically associates Android hardware-feature telemetry with ransomware behavior across multiple attack stages and families. Hardware features The dataset includes six primary feature groups: RAM status, network traffic, battery, CPU, GPU, and CPU clock speed. Each group contains the following sub-features: RAM Status: f1 – Total RAM (GB), f2 – Free RAM (GB), f3 – Available internal memory (MB), f4 – Available storage (GB), f5 – Total internal memory (GB) Traffic: f6 – Received (kb/s), f7 – Transmitted (kb/s) Battery: f8 – Voltage (mV), f9 – Temperature (°C) CPU (Thermal sensors °C): f10 – Thermal sensor 0, f11 – Thermal sensor 1, f12 – Thermal sensor 2 GPU: f13 – Temperature (°C), f14 – Frequency (MHz) Clock Speed (per core (MHz to GHz)): f15 – CPU 0, f16 – CPU 1, f17 – CPU 2, f18 – CPU 3, f19 – CPU 4, f20 – CPU 5, f21 – CPU 6, f22 – CPU 7 Dataset organization and sample specification For each ransomware family, the dataset provides normalized hardware-feature samples for both pre-attack (baseline) and post-attack conditions. Across 12 ransomware families on three squatting-based attacks, the dataset includes:229,298 samples, in which 43756 are benign samples and 255542 are malwares. All samples are organized into 12 separate folders, one folder per ransomware family, with stage-wise separation for post-attack samples.