Android Crypto Ransomware System Call Dataset

Citation Author(s):
Submitted by:
Christopher Chew
Last updated:
Wed, 01/31/2024 - 00:45
Data Format:
0 ratings - Please login to submit your rating.


This dataset aims to provide researchers with the essential information to aid in the development and improvement surrounding system call pattern detection for crypto ransomware on Android.

Our dataset provides two sets of extracted and formatted system call logs. The first set consists of system call logs collected from 213 crypto ransomware and the second set consist of 502 benign Android applications.

The ransomware samples were acquired from Koodous and collected over a short period of 3 months (April 2020 to June 2020). For our benign dataset, the samples were acquired from APKPURE and collected over the same period as the ransomware samples.



Set 1: Android Crypto Ransomware

The malicious dataset contains system call logs from 213 Android crypto ransomware, which have been categorised into six families. The six families are listed below followed by the number of samples in the respective family.

  • Six Android families:
    • Filecoder - 5
    • WannaLocker - 51
    • WipeLocker - 70
    • BlackRoseLucy - 17
    • Pletor - 6
    • SimpleLocker - 64

Set 2: Benign Dataset

The benign data contains system call logs from 502 benign Android applications from various categories. Two of these logs are included as cache-cleaning applications as they closely resemble behaviours similar to ransomware.

Dataset Folder Structure & Usage

  1. Raw extracted system call logs - This folder contains the raw system call logs extracted from Strace on an Android emulator running API level 24 with 1536MB RAM.
    • Strace log format: <PID> <Timestamp: HH:MM:SS> <System call>
  2. Formatted system call logs
    • Formatted log format: <PID>;<timestamp>;<system call>;<arguments>

    • Each sample contains three different files:

      • Layer_1_syscall_output_<file_hash/file_name>.apk.log - Filtered out unnecessary system calls, such as clock_gettime() and mprotect() and grouped by PID
      • sep_chars_syscall_output_<file_hash/file_name>.apk.log - Formatted system calls using seperation characters
      • sep_char_abs_syscall_output_<file_hash/file_name>.apk.log - Formatted and abstracted system calls
  3. Detected patterns of formatted system call logs
    • There are three different files in this folder. Each file contains the patterns detected for the three different levels of severity (General, Suspicious, and Malicious). The section below lists out the 12 patterns we created to detect ransomware.

Behavioural Patterns

Below are the 12 patterns used to detect crypto ransomware patterns, categorised into their respective severity levels. The 12 behavioural patterns were derived from a pilot test, which observed the system call-level behaviours exhibited from a selected set of Android crypto ransomware and benign applications. Please refer to associated paper for a more in-depth description of the evaluation.

Severity Level: Malicious

  • Rename & Unlink User - Renaming and unlinking a file within the user's main directories
  • Unlinking User Files - Unlinking a file within the user's main directories
  • Unknown File Ext Created - Creation of a file within the user's main directories with an unknown file extension
  • Read User File - Reading a file within the user main directories
  • Write File Unknown Extension - Writing to a file with an unknown file extension

Severity Level: Suspicious

  • IPv4 Connections - Connecting to an external connection in dotted quad notation
  • Directory Search - Searching through any directories
  • URL to Obfuscated Filename - Writing a URL address to an obfuscated file name
  • Socket Create and Connect - Creation of a socket and making external network connections

Severity Level: General

  • File Write - Writing to any file from any location
  • File Read - Reading any file from any location
  • Generic File Unlink - File unlinks not within the user directory