This is a non-IMPACT record, meaning that access to the data is not controlled by IMPACT. For access, see the directions below.

This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.


Android Malware Dataset
External Dataset
External Data Source
University of New Brunswick
56 (lowest rank is 56)

Category & Restrictions

mobile software, network data, malware, cyber attack


We collected more than 10,854 samples (4,354 malware and 6,500 benign) from several sources. We have collected over six thousand benign apps from Googleplay market published in 2015, 2016, 2017.

We installed 5,000 of the collected samples (426 malware and 5,065 benign) on real devices. Our malware samples in the CICAndMal2017 dataset are classified into four categories:

      SMS Malware

Our samples come from 42 unique malware families. The family kinds of each category and the numbers of the captured samples are as follows:

      Dowgin family, 10 captured samples
      Ewind family, 10 captured samples
      Feiwo family, 15 captured samples
      Gooligan family, 14 captured samples
      Kemoge family, 11 captured samples
      koodous family, 10 captured samples
      Mobidash family, 10 captured samples
      Selfmite family, 4 captured samples
      Shuanet family, 10 captured samples
      Youmi family, 10 captured samples


      Charger family, 10 captured samples
      Jisut family, 10 captured samples
      Koler family, 10 captured samples
      LockerPin family, 10 captured samples
      Simplocker family, 10 captured samples
      Pletor family, 10 captured samples
      PornDroid family, 10 captured samples
      RansomBO family, 10 captured samples
      Svpeng family, 11 captured samples
      WannaLocker family, 10 captured samples


      AndroidDefender 17 captured samples
      AndroidSpy.277 family, 6 captured samples
      AV for Android family, 10 captured samples
      AVpass family, 10 captured samples
      FakeApp family, 10 captured samples
      FakeApp.AL family, 11 captured samples
      FakeAV family, 10 captured samples
      FakeJobOffer family, 9 captured samples
      FakeTaoBao family, 9 captured samples
      Penetho family, 10 captured samples
      VirusShield family, 10 captured samples

SMS Malware

      BeanBot family, 9 captured samples
      Biige family, 11 captured samples
      FakeInst family, 10 captured samples
      FakeMart family, 10 captured samples
      FakeNotify family, 10 captured samples
      Jifake family, 10 captured samples
      Mazarbot family, 9 captured samples
      Nandrobox family, 11 captured samples
      Plankton family, 10 captured samples
      SMSsniffer family, 9 captured samples
      Zsone family, 10 captured samples

In order to acquire a comprehensive view of our malware samples, we created a specific scenario for each malware category. We also defined three states of data capturing in order to overcome the stealthiness of an advanced malware:

      Installation: The first state of data capturing which occurs immediately after installing malware (1-3 min).
      Before restart: The second state of data capturing which occurs 15 min before rebooting phones.
      After restart: The last state of data capturing which occurs 15 min after rebooting phones.

For feature Extraction and Selection, we captured network traffic features (.pcap files), and extracted more than 80 features by using CICFlowMeter-V3 during all three mentioned states (installation, before restart, and after restart). See our publicly available Android Sandbox.

Additional Details

malware, android, dataset, android malware dataset, 1256, external, inferlink corporation, corporation, inferlink, source, external data source, samples, captured, family, benign, collected, 354, googleplay, published, apps, 854, sources, 2016, 2017, market, 500, 2015, restart, capturing, min, occurs, installation, features, phones, sms, scareware, adware, fakeapp, rebooting, category, ransomware, fakenotify, cicflowmeter, jisut, biige, installed, files, dowgin, publicly, fakejoboffer, real, comprehensive, created, androidspy, avpass, mentioned, fakeav, penetho, shuanet, network, jifake, installing, fakemart, sandbox, plankton, gooligan, families, specific, simplocker, 065, cicandmal2017, nandrobox, kemoge, classified, ewind, al, extraction, feiwo, 000, charger, selection, av, unique, virusshield, youmi, smssniffer, advanced, stealthiness, androiddefender, extracted, beanbot, defined, ransombo, koler, devices, selfmite, other, 426, v3, koodous, mazarbot, pletor, 277, view, lockerpin, mobidash, traffic, wannalocker, porndroid, overcome, kinds, acquire, fakeinst, feature, scenario, pcap, categories, zsone, faketaobao, svpeng