{
	"id": "6b2448f8-b1d6-499b-bc04-a191ed475075",
	"created_at": "2026-04-06T01:29:10.424828Z",
	"updated_at": "2026-04-10T03:20:06.950586Z",
	"deleted_at": null,
	"sha1_hash": "8e789a15edbeab96e7b654110d5582da696964e4",
	"title": "Android Mischief Dataset — Stratosphere Laboratory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65334,
	"plain_text": "Android Mischief Dataset — Stratosphere Laboratory\r\nPublished: 2020-11-18 · Archived: 2026-04-06 00:52:51 UTC\r\nIntroduction\r\nA Remote Access Trojan (RAT) is a type of malware that allows the attacker (client) to gain control of the target’s\r\ndevice (server) to remotely control it. RATs are one of the most important threats nowadays since they are used as\r\npart of most attacks, from APTs to Ransomware. It is not an easy task to detect RATs in the network traffic,\r\nespecially when it comes to Android RATs in phones. Why? The main problem is that there are no easy ways to\r\nlook at the network traffic on our mobile devices. Our phones are much harder to protect than our computers.\r\nEven in cases where there are external network traffic analyzers, there are no good RAT detectors. To approach the\r\nproblem of the lack of Android RATs detection in the network traffic, we want to help the community by creating\r\nthe Android Mischief Dataset, which contains network traffic from mobile phones infected with real and\r\nworking Android RATs.\r\nThe Android Mischief Dataset is part of the Civilsphere Project (https://www.civilsphereproject.org/), which aims\r\nto protect the civil society at risk by understanding how the attacks work and how we can stop them. Check the\r\nwebpage for more information.\r\nThe Android Mischief Dataset is a dataset of network traffic from mobile phones infected with Android RATs. Its\r\ngoal is to offer the community a dataset to learn and analyze the network behaviour of RATs, in order to propose\r\nnew detections to protect our devices. The current version of the dataset includes 7 packet captures from 7\r\nexecuted Android RATs. The Android Mischief Dataset was done in the Stratosphere Laboratory, Czech Technical\r\nUniversity in Prague.\r\nExecution Methodology\r\nTo create this dataset, we followed a methodology for each of the RATs. The methodology consists of the\r\nfollowing 4 steps: (i) Installation, (ii) Execution, (iii) Traffic Capture, and (iv) Dataset Logging\r\n1. Installation. This step consists of searching for the code of the RAT on the Internet, downloading it,\r\ninstalling an appropriate virtual machine for execution of the RAT’s controller, including all the library\r\nrequirements on the virtual machine (e.g .NET Framework, JRE), and finally preparing the physical phone\r\nor phone virtual emulator as a victim to infect.\r\n2. Execution. In this step we execute the downloaded RAT in these steps. First, use the Builder app in the\r\nWindows VM to create and build a new APK file. Second, start the RAT Controller in the Windows VM so\r\nit is ready to receive victims. Third, send the APK to the phone\r\n3. Traffic Capture. When performing actions in the controller and the server, we capture the network traffic\r\nusing our own VPN server, or in case of Android virtual emulator, we can use the computer network\r\ninterface.\r\nhttps://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset\r\nPage 1 of 3\n\n4. Dataset Logging. When performing actions in the client and the server, we also write a log file of the\r\nperformed actions and take screenshots for each action in the Controller and the phone. As a result, each\r\nRAT in the dataset includes an APK file, a log file, screenshots files, a pcap file and a README.md.\r\nDataset files for each executed RAT\r\nEach RAT of the dataset contains the following files:\r\n1. README.md - This file is the generic description of the execution, containing the name of the executed\r\nRAT, details of the RAT execution environment, details of the pcap (client’s IP and server’s IP, time of start\r\nof the infection).\r\n2. APK - The APK file generated by the RAT’s builder. Be aware that the APK was built for our own servers,\r\nso it can not be used in a real attack.\r\n3. log - very detailed and specific time log of all the actions performed in the client and the server during the\r\nexperiment, e.g “2020-08-11 10:20:21 controller: execute command ‘Take Photo - Back Camera’”. The\r\npurpose of this log is to let the researchers match the actions with the packets in the pcap.\r\n4. pcap - network traffic of the whole infection. Sometimes captured on the host computer running the\r\ncontroller VM, sometimes using the Emergency VPN software.\r\n5. screenshots - a folder with screenshots of the mobile device and controller while performing the actions on\r\nthe client and the server.\r\nExecuted RATs and Download\r\nThe first version of the Android Mischief Dataset, v1, includes the following 7 RATs: Android Tester v6.4.6,\r\nDroidJack v4.4, HawkShaw, SpyMax v2.0, AndroRAT, Saefko Attack Systems v4.9 and AhMyth.\r\nThe Android Mischief Dataset can be downloaded in two ways, as one zip file containing all the RATs together, or\r\nit can be downloaded each RAT individually.\r\nDownload the whole Android Mischief Dataset all together as one zip file from here:\r\nhttps://mcfp.felk.cvut.cz/publicDatasets/Android-Mischief-Dataset/\r\nTo download each RAT execution individually:, use these links\r\nRAT01 - Android Tester v.6.4.6 [download here]\r\nRAT02 - DroidJack v4.4 [download here]\r\nRAT03 - HawkShaw [download here]\r\nRAT04 - SpyMAX v2.0 [download here]\r\nhttps://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset\r\nPage 2 of 3\n\nRAT05 - AndroRAT [download here]\r\nRAT06 - Saefko Attack Systems v4.9 [still not available]\r\nRAT07 - AhMyth [download here]\r\nCitation\r\nIf you are using this dataset for your research, please reference it as “Stratosphere Laboratory. Android Mischief\r\nDataset v1. November 18th. Kamila Babayeva. https://www.stratosphereips.org/android-mischief-dataset”\r\nContacts\r\nif you have any questions or you want the source code of RATs and their requirements, do not hesitate to contact\r\nkamifai14@gmail.com\r\nSource: https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset\r\nhttps://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset"
	],
	"report_names": [
		"android-mischief-rats-dataset"
	],
	"threat_actors": [],
	"ts_created_at": 1775438950,
	"ts_updated_at": 1775791206,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e789a15edbeab96e7b654110d5582da696964e4.pdf",
		"text": "https://archive.orkl.eu/8e789a15edbeab96e7b654110d5582da696964e4.txt",
		"img": "https://archive.orkl.eu/8e789a15edbeab96e7b654110d5582da696964e4.jpg"
	}
}