The Android Mischief Dataset is a dataset of network traffic from mobile phones infected with Android Remote Access Trojans (RATs). Its goal is to offer the community the dataset to learn and analyze the network behaviour of RATs and propose new detections. Current version of the dataset includes 8 packet captures from 8 executed Android RATs. Android Mischief Dataset was done in the Stratosphere Laboratory, Czech Technical University in Prague.
RATs executed:
Dataset files for each executed RAT:
The phone was using the Emergency VPN (https://www.civilsphereproject.org/emergency-vpn) to capture its traffic. All captures were done in CEST time (GMT+2). Which means that your tools looking at the pcap files may show a different time depending on your time zone. Since the time of capture inside the pcap file is 000000, then if you are in timezone GMT+1, you will see in your tools the packets with 1hs less of when they were captured. The real capture time is in the log file.
Firstly, the second version of Android Mischief Dataset present two more RATs that were not in the first version, namely RAT06_Saefko and RAT08_cli_AndroRAT. Secondly, each RAT packet capture was fixed using the command tcpdump -r <file.pcap> -w <file-fixed.pcap>. This command allows to fix the packets that were cut when terminating a capture. Lastly, each RAT folder contains a new folder with Zeek generated logs after running Zeek on a pcap.
If you have any questions or you want source code of RATs and their requirements, do not hesitate to contact me kamifai14@gmail.com.