Kharon Malware Dataset

This page gives access to the Kharon dataset, which has been published in the proceedings of LASER16 (paper (to appear), slides).

The Kharon dataset is a collection of malware totally reversed and documented. This dataset has been constructed to help us to evaluate our research experiments. Its construction has required a huge amount of work to understand the malicous code, trigger it and then construct the documentation. This dataset is now available for research purpose, we hope it will help you to lead your own experiments.

If you plan to use the dataset, do not forget to cite us in your publications (Bibtex ref).

Kharon dataset: 7 malware under a microscope

These 7 malware corresponds to the publication Kharon dataset: Android malware under a microscope . All malware have been manually dissected and documented. This way, we are able to highlight their behavior, their triggering techniques and identify the location of the malicious code in the reversed source code. With this precise description, we give a graphical representation of the information flows induced by an execution of the malware.

  • BadNews: Undesired applications installation
  • DroidKungFu1: Undesired applications installation
  • SimpLocker: Ransom, data encryption and phone locking
  • WipeLocker: Erase data on SD card and block social applications
  • Cajino: Remote controlled spyware which uses Baidu Cloud Push notification messages
  • MobiDash: Aggressive adware which can wait several weeks before triggering
  • SaveMe: Remote controlled spyware which can make phone calls and send SMS

Other malware of the Kharon dataset

For each family of malware, one sample has been studied.

Malware that are only partially studied at this time

You can contribute to enlarge the dataset !

For that purpose, you simply need to fill the following JSON template. You can choose to send it to valerie.viettriemtong@centralesupelec.fr or to publish it on your own site. In the last case, we will be pleased to report the contribution.

JSON information template

We use a JSON file to encode the malware description (with additional files for supplying images, source code extracts). The JSON files looks like this:

{
"name": "My Malware",
"short-description": "Ransom, data encryption and phone locking",
"issue-date": "2016-01-11",

"sourceurl":[
     {"url":"http://www.welivesecurity.com/2014/06/04/simplocker/",
      "url-title":"ESET Analyzes Simplocker – First Android File-Encrypting, TOR-enabled Ransomware"},
     {"url":"http://securehoney.net/blog/how-to-dissect-android-simplelocker-ransomware.html#.Vfbkud-uO1I",
      "url-title":"How To Dissect Android Simplelocker Ransomware"},
],

"remark":"Some remarks",

"triggering" : "How to trigger the malware.",

"java-description": "[MainService.java] is the service started when the application is launched...",


"fingerprint-attack-availability" : 1,
"fingerprint-attack-confidentiality" : 1,
"fingerprint-attack-integrity" : 1,
"fingerprint-attack-normaluse" : 1,
"fingerprint-block-apps" : 1,
"fingerprint-bot-server" : 1,
"fingerprint-call-number" : 1,
"fingerprint-crypto" : 1,
"fingerprint-data-destroy" : 1,
"fingerprint-data-encrypt" : 1,
"fingerprint-data-unusable" : 1,
"fingerprint-download-data" : 1,
"fingerprint-intent" : 1,
"fingerprint-java-code" : 1,
"fingerprint-launch" : 1,
"fingerprint-native-code" : 1,
"fingerprint-not-hidden" : 1,
"fingerprint-reflexion" : 1,
"fingerprint-remove-icon" : 1,
"fingerprint-repack-app" : 1,
"fingerprint-root-access" : 1,
"fingerprint-screen-lock" : 1,
"fingerprint-send-sms" : 1,
"fingerprint-server-order" : 1,
"fingerprint-stand-app" : 1,
"fingerprint-static-time" : 1,
"fingerprint-steal-call" : 1,
"fingerprint-steal-clogs" : 1,
"fingerprint-steal-contacts" : 1,
"fingerprint-steal-imei" : 1,
"fingerprint-steal-location" : 1,
"fingerprint-steal-number" : 1,
"fingerprint-steal-photos" : 1,
"fingerprint-steal-sms" : 1,
"fingerprint-type-adware" : 1,
"fingerprint-type-brick" : 1,
"fingerprint-type-paying" : 1,
"fingerprint-type-ransom" : 1,
"fingerprint-type-rat" : 1,
"fingerprint-type-spy" : 1,

"description-file": "mymalware.rst",

"kharon" : 0,

"images":[
     {"img-name":"screen_1.png", "img-title":"The infected app"},
     {"img-name":"screen_2.png", "img-title":"The image displayed on the screen asking for a ransom"},
]
}

Any contribution is welcome and may use this file format to encode the description.

Contributors

All the following people have contributed to the reverse engineering of the Kharond dataset:

  • A. Abraham
  • R. Andriatsimanefitra
  • S. Bale
  • B. Bannier
  • N. Kiss
  • E. Charron
  • L. Cloatre
  • M. Menu
  • G. Savy
  • J.-F. Lalande
  • V. Viet Triem Tong