Global Site Navigation (use tab and down arrow)

Canadian Institute for Cybersecurity

Android Adware and General Malware Dataset

The sophisticated and advanced Android malware is able to identify the presence of the emulator used by the malware analyst and in response, alter its behavior to evade detection. To overcome this issue, we installed the Android applications on the real device and captured its network traffic.

AAGM dataset is captured by installing the Android apps on the real smartphones semi-automated. The dataset is generated from 1900 applications with the following three categories:

1. Adware (250 apps)

  • Airpush: Designed to deliver unsolicited advertisements to the user’s systems for information stealing.

  • Dowgin: Designed as an advertisement library that can also steal the user’s information.

  • Kemoge: Designed to take over a user’s Android device. This adware is a hybrid of botnet and disguises itself as popular apps via repackaging.

  • Mobidash: Designed to display ads and to compromise user’s personal information.

  • Shuanet: Similar to Kemoge, Shuanet also is designed to take over a user’s device.

2. General Malware (150 apps)

  • AVpass: Designed to be distributed in the guise of a Clock app.

  • FakeAV: Designed as a scam that tricks user to purchase a full version of the software in order to re-mediate non-existing infections.

  • FakeFlash/FakePlayer: Designed as a fake Flash app in order to direct users to a website (after successfully installed).

  • GGtracker: Designed for SMS fraud (sends SMS messages to a premium-rate number) and information stealing.

  • Penetho: Designed as a fake service (hacktool for Android devices that can be used to crack the WiFi password). The malware is also able to infect the user’s computer via infected email attachment, fake updates, external media and infected documents.

3. Benign (1500 apps)

  • 2015 GooglePlay market (top free popular and top free new)

  • 2016 GooglePlay market (top free popular and top free new)

The dataset consists of the following:

  1. .pcap files – the network traffic of both the malware and benign (20% malware and 80% benign)

  2. .csv files - the list of extracted network traffic features generated by the CIC-flowmeter

The full research paper outlining the details of the dataset and its underlying principles:

Arash Habibi Lashkari, Andi Fitriah A.Kadir, Hugo Gonzalez, Kenneth Fon Mbah and Ali A. Ghorbani, “Towards a Network-Based Framework for Android Malware Detection and Characterization”, In the proceeding of the 15th International Conference on Privacy, Security and Trust, PST, Calgary, Canada, 2017.

For more information, contact A.Habibi.L@unb.ca.