EntropLyzer: Android Malware Classification and

2021 Reconciling Data Analytics, Automation, Privacy, and Security: A Big Data Challenge (RDAAPS) | 978-1-7281-6937-8/20/$31.00 ©2021 IEEE | DOI: 10.1109/RDAAPS48126.2021.9452002

Characterization Using Entropy Analysis of

Dynamic Characteristics
David Sean Keyes
Faculty of Computer Science
University of New Brunswick
Fredericton, Canada
Beiqi Li Gurdip Kaur
Canadian Institute for Cybersecurity Canadian Institute for Cybersecurity
University of New Brunswick University of New Brunswick
Fredericton, Canada Fredericton, Canada

[email protected] [email protected] [email protected]

Arash Habibi Lashkari Francois Gagnon Frédéric Massicotte

Canadian Institute for Cybersecurity Canadian Centre for Cyber Security Canadian Centre for Cyber Security
University of New Brunswick Ottawa, Canada Ottawa, Canada
Fredericton, Canada [email protected] [email protected]
[email protected]

Abstract—The unmatched threat of Android malware has
tremendously increased the need for analyzing prominent mal-
ware samples. There are remarkable efforts in static and dynamic
malware analysis using static features and API calls respectively.
Nonetheless, there is a void to classify Android malware by
analyzing its behavior using multiple dynamic characteristics.
This paper proposes EntropLyzer, an entropy-based behavioral
analysis technique for classifying the behavior of 12 eminent
Android malware categories and 147 malware families taken
from CCCS-CIC-AndMal2020 dataset. This work uses six classes
of dynamic characteristics including memory, API, network,
logcat, battery, and process to classify and characterize Android
malware. Results reveal that the entropy-based analysis success-
fully determines the behavior of all malware categories and most
of the malware families before and after rebooting the emulator.
Index Terms—android malware, entropy analysis, malware
behavior, malware classification, malware characterization
I. I NTRODUCTION
Android is the leading platform that provides users with
a high-performance operating system that runs today’s most
popular mobile devices. According to a report published by
the International Data Corporation (IDC), Android dominated
the market with 85% of global market share in the last
quarter of 2020 [5]. The annual global shipment volume of
Android is expected to grow by 150 million units in 2021
[4]. The unprecedented upsurge in Android’s dominance in
the marketplace poses challenges of detecting rising Android
malware samples. As of March 2020, the total number of new
Android malware samples amounted to 482,579 per month [3].
The only way to curb the menace of Android malware is to
detect and analyze it statically or dynamically. Static malware
analysis extracts features from the AndroidManifest.xml file,
978-1-7281-6937-8/20/$31.00 ©2020 IEEE
which contains static features such as permissions, intents,
API calls, and broadcast receivers and providers. Nevertheless,
static analysis cannot detect malware samples which trigger
themselves on sensing a specific running environment. This
gives importance to dynamic malware analysis. This paper
proposes EntropLyzer, an entropy-based malware behavior
analysis that inspects the behavioral change of recent malware
families taken from CCCS-CIC-AndMal2020 dataset. Follow-
ing are the main contributions of this paper:
• We perform dynamic analysis of Android malware sam-
ples taken from the CCCS-CIC-AndMal2020 dataset.
It comprises 12 Android malware categories and 147
malware families that are dynamically analyzed in an
emulated environment. We extract six classes of features
including memory, API, network, battery, logcat, and
process.
• We present EntropLyzer, an entropy-based dynamic be-
havioral analysis for Android malware detection. It uti-
lizes Shannon entropy to identify behavioral changes
in malware families based on six classes of features
extracted from dynamic malware analysis.
• We analyze the patterns obtained from behavioral analysis
to understand the nature of malware categories. These
patterns are visualized to classify the behavior of malware
families.
The rest of the paper is organized as follows: Section II unfolds
the related works on dynamic Android malware analysis. Sec-
tion III details the dataset. Section IV describes the proposed
methodology and is followed by experimental architecture in
Section V. The discussion of experimental results and analyses
are presented in Section VI. Finally, Section VII concludes the
paper and highlights future work.

Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
 II. R ELATED W ORKS
This section summarizes prominent dynamic Android mal-
ware analysis techniques. A comprehensive review of dynamic
malware analysis techniques is conducted in [27] and taxon-
omy of mobile malware and attack vector is presented in [29].
Several dynamic malware analysis emphasized the use of
specific features such as opcodes sequences [28], intents [13],
websites visited by the Android apps [36], overprivileged
permissions [18], ontology-based characteristics shared by
Android malware apps to leverage their presence on a de-
vice [25], and dominance tree of API calls to find similar
patterns in Android apps [7] to detect malware. TraceDroid
Analysis Platform [35] dynamically analyzes Android appli-
cations using a comprehensive tracing scheme. It reveals more
information about Android app execution even in the emulated
environment. A bag-of-words permission model [24] performs
well on static analysis and is claimed to do so for dynamic
analysis as well.
CANDYMAN [22] classifies Android malware families
using dynamic analysis and Markov chains. It combines
the information from various state transitions with the state
frequency distribution to discriminate 179 malware families
captured from Drebin dataset. Zhang et al. [39] also use Drebin
dataset by extracting n-gram and feature hashing to attribute
malware families with high accuracy. Cypider [19] is a novel
fingerprinting technique to generate a fingerprint for similar
malicious instances that share common features and groups
them in a malicious community.
Some dynamic malware analysis techniques utilize input
format to detect malware. DL-Droid [8] detects Android
malware through stateful input generation by using 30,000
applications (benign and malware) on real devices. Olukoya
et al. [26] gather meta-data related to unstructured input and
combine it with decision trees to determine malware with
different characteristics. Feature engineering is also used to
map API calls to certain features and aggregate them to find
the frequency of a feature [32]. Extracted malware patterns
are combined with artificially generated patterns to increase
detection rate [17]. Recently, VizMal is developed to visualize
dynamic traces of malware analysis [12].
DroidChain [37] combines static analysis with behavior
chain model. It addresses malware with a matrix approach by
using four malware models, including privacy leakage, SMS
financial charges, malware installation, and privacy escalation.
The state-based method is merged with the random-based
method to evaluate code coverage capacity within a dynamic
analysis system using real devices [38]. MalDAE [15] corre-
lates static and dynamic API sequences to fuse and map them
semantically to construct a malware detection framework. A
tree augmented Naive Bayes [31] employs the conditional
dependencies among relevant static and dynamic features. Au-
thors also proposed GSDroid, a graph-based feature extraction
approach to detect malware. The hybrid analysis is further
merged with system calls and extracted features to achieve
high accuracy [33].
Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
Fig. 1: Total Number of Malware Samples in Dataset
There are significant efforts in detecting malware using
entropy-based approaches. A representative botnet dataset is
used to detect anomalous pattern of malicious activities per-
formed by the bot traffic using Shannon, Renyi, and Tsallis
entropy-based approach [10]. Structural entropy is used to
detect Android malware with high precision to identify a
malware application, and Android malware family [11]. En-
tropy values are also used to classify a malware packed with
unknown packing algorithms [9]. An entropy-based distance
measure is used to discriminate the degree of metamorphism
in four malware families [30] and ransomware samples [23].
To summarize, dynamic malware analysis techniques and
entropy-based measures are used separately to detect malicious
behavior. This paper integrates both methods to present an
entropy-based malware behavior analysis for a comparatively
larger dataset. We investigate the behavior change of 147
Android malware families that belong to 12 Android malware
categories, based on six classes of features extracted from
dynamic analysis.
III. DATASET
We collaborated with the Canadian Center for Cyber Se-
curity (CCCS) [1] to generate a new dataset namely, CCCS-
CIC-AndMal2020, which includes 400K android apps (200K
benign and 200K malware).
• Malware Data:
CCCS shared their real-world collected Android malware
samples for our analysis. We used VirusTotal [6] to iden-
tify malware family and label the dataset by following a
consensus of 70% anti-viruses to incorporate reliability of
labeled dataset. We searched for similar malware samples to
categorize malware samples in dataset with similar character-
istics. Finally, we got the Android malware data distribution
with 14 malware categories including Adware, Backdoor,
FileInfector, No Category, Potentially Unwanted Apps (PUA),
Ransomware, Riskware, Scareware, Trojan, Trojan-Banker,
Trojan-Dropper, Trojan-SMS, Trojan-Spy and Zero Day as
shown in Fig. 1. We used 12 malware categories (excluding
 Fig. 2: Similarity Graph

No Category and Zero Day) for dynamic malware analysis

owing to incomplete data in these categories. Further, there
are different malware families that belong to every malware
category. A malware family is a variant of malware category
that uses same base code and exhibits similar basic behavior
as shown by the malware category.
• Benign Data:
For benign android apps, we used the Androzoo dataset [21]
which collects samples from different sources including offi-
cial android market, Google Play, Anshi, AppChina, 1mobile,
and Genome project dataset. A weekly updated list containing
all the detailed information about the apps is created. We
also collected 200K benign Android apps from CCCS. We Fig. 3: Proposed Methodology for EntropLyzer
used the mentioned malware and benign samples to perform
static analysis [16]. For dynamic malware analysis, we used
A. Step 1: Dynamic Malware Analysis
malicious samples only.
Android APK files are dynamically executed in a sandbox
• Similarity:
environment. The detailed architecture comprising different
We used DroidKin [14] to detect similarity among various components used to dynamically analyze Android malware
Android malware categories and families. Although every samples is discussed in Section 5. At the end of this step, we
malware category has its unique behavior and characteristics extracted a total of 141 dynamic characteristics including 23
but there are some malware samples that bear resemblance memory features, 105 API features, two battery features, four
to other malware categories. To illustrate, Riskware families network features, one process feature, and six logcat features.
resemble Adware, Backdoor, and Trojan samples as shown in A complete list of dynamic characteristics is presented in Table
Fig. 2. Similarity graph can be used to create a taxonomy of II at the end of the paper.
Zero Day and No Category malware samples.
B. Step 2: Rebooting
IV. P ROPOSED M ETHODOLOGY In this work, it is found that some malware samples are
executed only after rebooting the emulator. After analyzing
This section uncovers EntropLyzer, the proposed method- malware samples and extracting dynamic characteristics, the
ology to analyze the dynamic behaviour of Android malware emulator is rebooted and the process is repeated from the
families using entropy analysis. Fig. 3 presents the step-by- beginning to capture dynamic characteristics again. Thus, we
step procedure to analyze malware behavior. captured two CSV files: (1) before rebooting the emulator,

Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
and (2) after rebooting the emulator. We refer to these files as
before reboot and after reboot file throughout the rest of the
paper.
C. Step 3: Shannon Entropy
Entropy is a measure of randomness or uncertainty of a
variable [34]. It is mathematically represented as:
n
 components: (1) Database, (2) Android sandbox, and (3)
H(X) = − P (xi ) log P (xi )
i=1

where H(X) is the entropy of a variable X, defines the sum
over variable’s possible values, and P(xi ) is the probability of
occurrence of possible outcomes xi of variable X, where i
represents number of outcomes and varies between 1 and n.
We computed the Shannon entropy for every malware sam-
ple before and after rebooting the emulator to understand its
behavior changes. To compute entropy, we treated every record
(malware sample) in the dataset as a one-dimensional labeled
array holding integer data (values of all features extracted
under six classes). Entropy for every record is computed by
using equation (1) by replacing X with record[i,:] as follows:
n invokes other components such as Frida and DroidBot.

H(record[i, :]) = − P (record[i, :]) log P (record[i, :])
i=1
(2)
This step involves two tasks. In the first task (step 3a), we
computed the entropy value for every malware sample in
before reboot and after reboot files. This computation abets
us to assign an entropy value to every malware sample. In
the second task (step 3b), we computed the Shannon entropy
on all features for each malware category in the before and
after reboot file. This ensures to observe behavioral changes
of malware samples for every dynamic characteristic.
D. Step 4: Malware Family Detection
We applied Naive Bayes (NB), Support Vector Machine
(SVM), Random Forest (RF), and Decision Tree (DT) machine
learning (ML) classifiers to perform multi-class classification
of 12 malware categories. We divided the dataset into various
training and testing set combinations to achieve the best re-
sults. We finally split it into 80% training and 20% testing set.
We found that RF classifier outperforms other ML classifiers
to classify malware families. Thus, we applied it to obtain
malware family classification of all malware categories in the
same training and testing set split.
E. Step 5: Malware Behavior Analysis
We used the entropy values to analyze behavioral changes
in each malware family and category. First and foremost,
for analyzing the behavioral changes in malware families,
we compared the entropy for each malware family in before
reboot and after reboot file. Secondly, for analyzing behavioral
changes in malware category, we compared the entropy value
of all features in before and after reboot files. The results
of these comparisons are plotted to visualize the behavioral
changes.
Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
V. A RCHITECTURAL D ETAILS
We used virtual environment in a server to analyze Android
malware categories as presented in previous section. Since
the dataset contains 200K malware samples, we configured
a virtual server farm consisting of 30 virtual machines to
dynamically analyze the samples in parallel. Fig. 4 presents
the architecture of our server farm. It comprises three primary
(1) Android emulator.
1) Database: A new malware sample is submitted from the
host machine through SSH command. It is stored in the
MongoDB database and managed by a job management
script. Newly submitted job in database is forwarded
to job scheduler under analysis server which schedules
its execution in the emulator. Database is responsible
for storing malware hashes and analysis status for the
sandbox.
2) Analysis Server (or Android Sandbox): It is the most
important component in the architecture which manages
emulator instances, executes individual analysis tasks
including simple interactions (calls, send SMS, etc.), and
Once a new job is submitted in the database, the Android
server creates a temporary job directory, starts emulator,
uploads Frida server to the emulator, and starts calculat-
ing values for dynamic characteristics. After collecting
all defined dynamic characteristics, emulator is rebooted
by the sandbox and captures dynamic characteristics
again and stores it in before reboot and after reboot file
respectively.
3) Android Emulator: It is responsible for emulating the
Android operating system (OS), interfacing with android
server (via telnet console, ADB services and files), and
collecting network traffic (pcap dump). The analysis life
cycle of malware samples is controlled by the sandbox.
Frida server under the Android OS collects API logs
from the apps under test component and uses MobSF
payload to attach to a specific emulator spawned by the
sandbox. It dumps network traffic via telnet console and
simulates the basic phone usage scenario (phone call,
SMS, GPS toggle, web browsing etc.).
In addition to the main components described above, a shared
folder is created on a storage server to store Android malware
samples and dynamic analysis results. It is important to
mention that we were unable to execute some malware samples
from the dataset. We encountered that there was no entry
point in some Android malware samples and some Android
malware samples stopped abruptly. Therefore, there were quite
less number of actual malware samples that we were able to
execute successfully. The total number of malware samples
for each family before and after rebooting the emulator are
shown in Fig. 5.
VI. A NALYSIS AND D ISCUSSION
This section presents major findings and discussion of
results.
 Fig. 4: Architecture used to Dynamically Analyze Android Malware
Fig. 5: Distribution of Malware Samples after Dynamic Anal-
ysis
A. Malware Category and Family Classification
We used ML classifiers to classify malware categories and
families. The results of classification of malware category are
presented in Table I. Apparently, decision tree outperforms
other classifiers by a significant margin. It gives 0.984 for
precision and 0.983 for recall and F1-score. These values of
precision and recall indicate that negligible number of false
positives and false negatives are reported by the classifier.
Further, a deep insight into these values confirm that memory
(heap size, views, heap allocation), API (message digest
update, get device ID), and network (total bytes transmitted
and received) features contribute the most to the classification
process.
For classifying malware families, we observed that random
Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
TABLE I: Comparison of ML Classification
Classifier Precision Recall F1-Score
NB 0.412 0.171 0.138
RF 0.769 0.764 0.759
DT 0.984 0.983 0.983
forest performs better than decision tree. Since the training
data contains 147 malware families, random forest classifier
forms multiple single trees compared to decision trees that
form only single decision tree, random forest turns out to be a
better classifier for malware families. The results of malware
family classification are presented in Fig. 6. We classified 22
Adware, 10 Backdoor, 4 File Infector, 8 PUA, 7 Ransomware,
18 Riskware, 3 Scareware, 37 Trojan, 10 Trojan Banker, 9
Trojan Dropper, 9 Trojan SMS, and 10 Trojan Spy families,
totalling to 147 malware families obtained after dynamically
executing the malware samples. By inspecting the diagonal
values in all the sub-figures of Fig. 6, we observe that majority
of malware families are classified correctly despite having
very less number of samples. However, there is a prominent
observation in Ransomware category, where 50 samples of
congur family are incorrectly classified as slocker family.
B. Entropy-based Behavior Analysis for Malware Categories
To dig deeper into the entropy distribution for malware
categories, we plotted the Shannon entropy against Kernel
Density Estimation (KDE) for different malware categories, as
visualized in Fig. 7. We used KDE because it fits the best into
the type of data in our dataset. On investigating the before
 (a) Adware (b) Trojan

(c) Backdoor (d) File Infector (e) PUA

(f) Ransomware (g) Riskware (h) Scareware

(i) Trojan Banker (j) Trojan Dropper (k) Trojan SMS

(l) Trojan Spy

Fig. 6: Classification of Malware Families under different Malware Categories using Random Forest
Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
reboot and after reboot entropy of malware categories, it is
observed that entropy of every malware category changes after
rebooting the emulator. There are two spikes in entropy values
corresponding to Riskware and Trojan categories as compared
to other malware categories. Entropy density of Trojan Banker
and Trojan Dropper is also higher than the rest of the malware
categories.
Adware samples primarily alter message digest and attempt
to encode and decode base64 format. Based on dynamic
characteristics, Adware samples undergo massive changes in
memory (PssClean, PrivateClean, Views, ViewRootImpl), API
(registerReceiver, digest update, base64 encode and decode,
notify, sessions), network (total transmitted/received pack-
ets/bytes), and logcat features. Backdoor samples access cryp-
tographic keys and update message digest.
File Infector samples retrieve system properties and access
API sessions as two significant activities. PUA samples mainly
communicate with other devices and access shared memory
pages. Ransomware samples attempt to encode and decode
base64 format and share memory pages with other processes.
On diving deeper into Riskware behavior, it is perceived that
significant alterations in memory features (before and after
reboot) attribute to the spiked entropy change in Riskware
samples. Although there are important modifications in API,
network, and logcat features before and after reboot, but these
modifications are too smaller as compared to the difference in
memory features before and after reboot.
Scareware samples try to get system properties and access
API sessions in addition to communication with network
devices. For Trojan samples, the most significant changes are
witnessed in memory (PssClean, ViewRootImpl, AppContexts,
PrivateClean), API (execSQL, openDatabase, loadUrl, regis-
terReceiver, digest, notify, registerContentObserver), network,
and logcat features. To be particular, an average change in
Memory PssClean values after reboot is 373% higher than
before reboot. Overall, it indicates that Trojan samples share
an extremely large number of memory pages across processes,
attempt to access database, and communicate with other de-
vices in the network.
Major entropy changes in Trojan Banker samples are ob-
served due to memory (PssClean, PrivateClean, AppContexts),
API (loadUrl, registerReceiver, handleReceiver, getDeviceId,
getSimSerialNumber, registerContentObserver), network, and
logcat features. Trojan Banker tries to retrieve smartphone’s
device identifier and SIM serial number in addition to commu-
nicating with network devices and accessing shared memory
pages with other processes.
Trojan Dropper’s behavior is impacted by memory (Pss-
Clean, PrivateClean), API (SecretKeySpec, digest, digest up-
date, registerContentObserver, sessions), network, and logcat
features. It is observed that these samples intend to modify
cipher keys, update message digest in API sessions, and
communicate with other devices in the network.
Trojan SMS samples are primarily involved in sending mes-
sages to other devices. There are significantly larger changes
in memory (PssClean, PrivateClean, Views, ViewRootImpl),
Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
API (registerContentObserver, sessions), network and logcat
features. For Trojan Spy, significant alterations are performed
due to memory (PssClean, PrivateClean, Views), API (ses-
sions), network and logcat features.
Overall, it is concluded that memory (PssClean, Private-
Clean), network (total transmitted/received packets/bytes), and
logcat features predominantly change before and after reboot
for all malware categories and contribute to a large number of
behavioral changes in malware samples. We hardly observed
any changes in battery features for all malware categories.
Further, specific malware behavior for each category is also
defined based on changes in before and after a reboot for
dynamic characteristics.
C. Entropy-based Behavior Analysis for Malware Families
After analyzing the behavioral changes for malware cate-
gories, we plotted entropy against KDE for malware families
under each malware category, as shown in Fig. 8. These
plots help to have a deep insight into the entropy distribution
of malware families. For plotting these entropy curves, we
excluded malware families with less than ten samples so that
the curves are representative of identified malware behavior.
Moreover, we analyzed the behavior of prominent malware
families with spiked entropy values. As evident from behavior
analysis of different malware categories, all malware families
communicate with other devices in the network, share memory
pages with other processes, and perform logcat activities.
(1) Adware: Adware malware category has three malware
families highlighted in Fig. 8: appad, mobclick, and adend.
Appad performs multiple functions. It accesses database and
executes SQLite queries, opens files and writes into them,
starts services, registers receiver, and creates threads for in-
terprocess communication, accesses cipher keys and updates
message digest, and gets device ID and verifies from device in-
formation whether a debugger is connected or not. In addition
to all the aforementioned activities, mobclick sends broadcast
messages whilst adend mainly initiates new activities.
(2) Backdoor: Kmin family gets subscriber Id of the device
as its main functionality.
(3) File Infector: Gudex and tachi are the two main
families under File Infector that fetch network country ISO.
Additionally, tachi gets system properties to fetch IP address
of the wifi device while gudex updates message digest and
sends text message.
(4) PUA: Umpay executes database queries. Scamapp opens
URL connections and input files, starts new activities, and gets
network country ISO. Apptrack opens input and output files,
and gets network operator.
(5) Ransomware: There are six major entropy value changes
in koler, lockscreen, congur, masnu, jisut, and slocker families.
Koler loads URLs and adds web interfaces, gets device Id,
SIM serial number and system properties. Lockscreen, congur,
slocker, and jisut obtain system properties and API sessions.
Masnu accesses database and executes queries. Additionally,
it updates message digest and identifies secret key.
 (a) Before Reboot
Fig. 7: Distribution of Entropy for Malware Categories
(6) Riskware: A significant behavior change is observed
in all malware families under this category. Jiagu accesses
wakelock service of the device to keep it awake. Mobilepay
starts new activities and fetches message digest. Smsreg is
one of the largest malware families that primarily executes
database queries. Triada gets SIM serial number and access
cryptographic keys. Wificrack also accesses cipher keys. Dno-
tua updates message digest.
(7) Scareware: It is the smallest category in the dataset
that has least number of malware families. Fakeapp updates
message digest whilst avpass opens up URL connection.
(8) Trojan: Wkload gets device Id, subscriber Id, SIM
operator name, and network operator name. Rootnik starts new
services and gets system properties. Qysly opens file input and
URL connection. Gappusin starts new activities and accesses
message digest. Autoins mainly fetches message digest.
(9) Trojan Banker: Minimob is the only family that un-
dergoes major entropy changes and is involved in starting
new activities and services, and gets installed packages on
the device.
(10) Trojan Dropper: Ramnit initiates a new service while
ztorg executes SQLite queries and opens input files.
(11) Trojan SMS: The entropy of jsmsshider is decreased
a lot after rebooting the emulator. Based on the captured
dynamic values, it sends text messages and accesses wakelock
service of the device to keep it awake.
(12) Trojan Spy: There are two primary families under
Trojan Spy: qqspy and spynote. Qqspy gets system properties
and API sessions whilst spynote spies on country network ISO
and gets system properties as two major activities.
VII. C ONCLUSION AND F UTURE S COPE
Android malware dominates the Internet with massive in-
crease in number of new samples every day. Although there
are notable efforts to analyze these samples to do away
with them, the menace continues. This paper introduced
EntropLyzer, an entropy-based behavioral analysis technique
Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
(b) After Reboot
for classifying Android malware categories and families in
CCCS-CIC-AndMal2020 dataset. We performed dynamic mal-
ware analysis in a virtual environment to extract six classes
of dynamic characteristics including memory, API, network,
logcat, battery, and process. As apparent from the results,
we classified all malware categories with 0.984 precision
and 0.983 recall values from decision tree classifier. Further,
we were successfully able to compute entropy and analyze
behavior of all malware categories and most of the malware
families before and after rebooting the emulator.
However, there are some limitations of this work. Firstly, the
dynamic analysis is performed in an emulator. Some malware
samples are able to detect the emulated environment and
are not executed. Therefore, we obtained lesser number of
malware samples after dynamic analysis as compared to actual
number of malware samples in the dataset. Secondly, since
the number of malware samples were reduced after dynamic
analysis, we skipped the malware families from the behavior
analysis which contain less than ten samples so that entropy
curves are representative of analyzed behavior for that malware
category. To overcome these limitations, dynamic analysis can
be performed on real smartphone devices to analyze more
malware samples.
AVAILABILITY
The source code for Android App dynamic analyzer and list
of extracted features are publicly available in GitHub [20] and
dataset will be made available publicly at [2] after publication
of this work.
ACKNOWLEDGMENT
We thank the Mitacs Globalink Program for providing
the Research Internship (GRI) opportunity and Harrison Mc-
Cain Young Scholar Foundation funds from University of
New Brunswick (UNB) for supporting this project. We also
thank CCCS for sharing the Android apps for CCCS-CIC-
AndMal2020 dataset with us.
 (a) Adware (b) Backdoor

(c) File Infector (d) PUA

(e) Ransomware (f) Riskware

(g) Scareware (h) Trojan

(i) Trojan Banker (j) Trojan Dropper

(k) Trojan SMS (l) Trojan Spy

Fig. 8: Comparison of Entropy for Malware Families before (left) and after (right) reboot

Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
 R EFERENCES [24] Nikola Milosevic, Ali Dehghantanha, and Kim Kwang Raymond Choo,
Machine learning aided Android malware classification, Computers and
[1] Canadian centre for cyber security, 2020, =https://cyber.gc.ca/en/. Electrical Engineering 61 (2017), 266–274.
[2] Cccs-cic-andmal-2020, 2020, =https://www.unb.ca/cic/datasets/andmal [25] Luiz C. Navarro, Alexandre K.W. Navarro, André Grégio, Anderson
2020.html. Rocha, and Ricardo Dahab, Leveraging ontologies and machine-learning
[3] Development of new android malware worldwide from june 2016 to techniques for malware analysis into Android permissions ecosystems,
march 2020, 2020, =https://www.statista.com/statistics/680705/global- Computers & Security 78 (2018), 429–453.
android-malware-volume/statisticContainer. [26] Oluwafemi Olukoya, Lewis Mackenzie, and Inah Omoronyia, Towards
[4] Global smartphone shipments to witness double-digit growth in 2021, using unstructured user input request for malware detection, Computers
2020, =https://www.androidheadlines.com/2020/10/global-smartphone- & Security 93 (2020).
shipments-to-witness-double-digit-growth-in-2021.html. [27] Ori Or-Meir, Nir Nissim, Yuval Elovici, and Lior Rokach, Dynamic
[5] Smartphone market share, 2020, =https://www.idc.com/promo/smartphone- malware analysis in the modern era—A state of the art survey, ACM
market-share/os. Computing Surveys 52 (2019).
[6] Virustotal, 2020, =https://www.virustotal.com/gui/home/upload. [28] Abdurrahman Pektaş and Tankut Acarman, Learning to detect Android
[7] Shahid Alam, Soltan Abed Alharbi, and Serdar Yildirim, Mining nested malware via opcode sequences, Neurocomputing 396 (2020), 599–608.
flow of dominant APIs for detecting android malware, Computer Net- [29] Attia Qamar, Ahmad Karim, and Victor Chang, Mobile malware attacks:
works 167 (2020), 107026. Review, taxonomy & future directions, Future Generation Computer
[8] Mohammed K. Alzaylaee, Suleiman Y. Yerima, and Sakir Sezer, DL- Systems 97 (2019), 887–909.
Droid: Deep learning based android malware detection using real [30] Esmaeel Radkani, Sattar Hashemi, Alireza Keshavarz-Haddad, and
devices, Computers & Security 89 (2020). Maryam Amir Haeri, An entropy-based distance measure for analyzing
[9] Munkhbayar Bat-Erdene, Hyundo Park, Hongzhe Li, Heejo Lee, and and detecting metamorphic malware, Applied Intelligence 48 (2018),
Mahn-Soo Choi, Entropy analysis to classify unknown packing al- 1536–1546.
gorithms for malware detection, International Journal of Information [31] Surendran Roopak, Thomas Tony, and Emmanuel Sabu, Gsdroid: Graph
Security 16 (2017), 227–248. signal based compact feature representation for android malware detec-
[10] Przemysław Bereziński, Bartosz Jasiul, and Marcin Szpyrka, An entropy- tion, Expert Systems with Applications 159 (2020).
based network anomaly detection method, Entropy 17(4) (2015), 2367– [32] Arindaam Roy, Divjeet Singh Jas, Gitanjali Jaggi, and Kapil Sharma,
2408. Android Malware Detection based on Vulnerable Feature Aggregation,
[11] Gerardo Canfora, Francesco Mercaldo, and Corrado Aaron Visaggio, Procedia Computer Science 173 (2020), 345–353.
An hmm and structural entropy based detector for android malware: An [33] Dina Saif, S. M. El-Gokhy, and E. Sallam, Deep Belief Networks-
empirical study, Computers & Security 61 (2016), 1–18. based framework for malware detection in Android systems, Alexandria
[12] Andrea De Lorenzo, Fabio Martinelli, Eric Medvet, Francesco Mercaldo, Engineering Journal 57 (2018), 4049–4057.
and Antonella Santone, Visualizing the outcome of dynamic analysis [34] Claude E. Shannon, A mathematical theory of communication, The Bell
of Android malware with VizMal, Journal of Information Security and System Technical Journal, 27 (1948), 379–423.
Applications 50 (2020). [35] Victor Van Der Veen, Herbert Bos, and Christian Rossow, Dynamic
[13] Ali Feizollah, Nor Badrul Anuar, Rosli Salleh, Guillermo Suarez- Analysis of Android Malware, Internet & Web Technology Master thesis,
Tangil, and Steven Furnell, AndroDialysis: Analysis of Android Intent VU University Amsterdam (2013), 106.
Effectiveness in Malware Detection, Computers & Security 65 (2017), [36] Shanshan Wang, Zhenxiang Chen, Qiben Yan, Ke Ji, Lizhi Peng,
121–134. Bo Yang, and Mauro Conti, Deep and broad URL feature mining for
[14] Hugo Gonzalez, Natalia Stakhanova, and Ali A. Ghorbani, Droidkin: android malware detection, Information Sciences 513 (2020), 600–613.
Lightweight detection of android apps similarity, International Confer- [37] Zhaoguo Wang, Chenglong Li, Zhenlong Yuan, Yi Guan, and Yibo
ence on Security and Privacy in Communication Networks (2014). Xue, DroidChain: A novel Android malware detection method based
[15] Weijie Han, Jingfeng Xue, Yong Wang, Lu Huang, Zixiao Kong, and on behavior chains, Pervasive and Mobile Computing 32 (2016), 3–14.
Limin Mao, MalDAE: Detecting and explaining malware based on [38] Suleiman Y. Yerima, Mohammed K. Alzaylaee, and Sakir Sezer, Ma-
correlation and fusion of static and dynamic characteristics, Computers chine learning-based dynamic analysis of Android apps with improved
& Security 83 (2019), 208–233. code coverage, Eurasip Journal on Information Security 2019 (2019),
[16] hidden3 hidden1, hidden2 and hidden4, Didroid: Android malware clas- 1–24.
sification and characterization using deep image learning, Proceedings [39] Li Zhang, Vrizlynn L.L. Thing, and Yao Cheng, A scalable and exten-
of the 10th International Conference on Communication and Network sible framework for android malware detection and family attribution,
Security, Japan (2020). Computers & Security 80 (2019), 120–133.
[17] Manel Jerbi, Zaineb Chelly Dagdia, Slim Bechikh, Mohamed Makhlouf,
and Lamjed Ben Said, On the use of artificial malicious patterns for
android malware detection, Computers & Security 92 (2020), 17–43.
[18] Abdullah Talha Kabakus and Ibrahim Alper Dogru, An in-depth analysis
of Android malware using hybrid techniques, Digital Investigation 24
(2018), 25–33.
[19] ElMouatez Karbab, Mourad Debbabi, Abdelouahid Derhab, and Djed-
jiga Mouheb, Scalable and robust unsupervised android malware fin-
gerprinting using community-based network partitioning, Computers &
Security 96 (2020), 19–32.
[20] Arash Lashkari, Android dynamic analyser, Dec 2020,
=https://github.com/ahlashkari/backup-AndroidDynamicAnalyser.
[21] Li Li, Jun Gao, Médéric Hurier, Pingfan Kong, Tegawendé F. Bissyandé,
Alexandre Bartel, Jacques Klein, and Yves Le Traon, Androzoo++:
Collecting millions of android apps and their metadata for the research
community, Proceedings of the 13th International Conference on Mining
Software Repositories (2017), 468–471.
[22] Alejandro Martı́n, Vı́ctor Rodrı́guez-Fernández, and David Camacho,
CANDYMAN: Classifying Android malware families by modelling dy-
namic traces with Markov chains, Engineering Applications of Artificial
Intelligence 74 (2018), 121–133.
[23] Timothy McIntosh, Julian Jang-Jaccard, Paul Watters, and Teo Susn-
jak, The inadequacy of entropy-based ransomware detection, Neural
Information Processing, Communications in Computer and Information
Science, Springer, Cham 1143 (2019), 181–189.

Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
 TABLE II: Extracted Dynamic Features
Category Feature
Memory PssTotal, PssClean, SharedDirty, PrivateDirty, SharedClean, PrivateClean, SwapPssDirty, HeapSize,
HeapAlloc, HeapFree, Views, ViewRootImpl, AppContexts, Activities, Assets, AssetManagers,
LocalBinders, ProxyBinders, ParcelMemory, ParcelCount, DeathRecipients, OpenSSLSockets, WebViews
Network TotalReceivedBytes, TotalReceivedPackets, TotalTransmittedBytes, TotalTransmittedPackets
Battery wakelock, service
Logcat verbose, debug, info, warning, error, total
Process total
API Process android.os.Process start, Process android.app.ActivityManager killBackgroundProcesses
Process android.os.Process killProcess
Command java.lang.Runtime exec, Command java.lang.ProcessBuilder start
JavaNativeInterface java.lang.Runtime loadLibrary
JavaNativeInterface java.lang.Runtime load
WebView android.webkit.WebView loadUrl, WebView android.webkit.WebView loadData
WebView android.webkit.WebView loadDataWithBaseURL
WebView android.webkit.WebView addJavascriptInterface
WebView android.webkit.WebView evaluateJavascript, WebView android.webkit.WebView postUrl
WebView android.webkit.WebView postWebMessage, WebView android.webkit.WebView savePassword
WebView android.webkit.WebView setHttpAuthUsernamePassword
WebView android.webkit.WebView getHttpAuthUsernamePassword
WebView android.webkit.WebView setWebContentsDebuggingEnabled, FileIO libcore.io.IoBridge open
FileIO android.content.ContextWrapper openFileInput
FileIO android.content.ContextWrapper openFileOutput
FileIO android.content.ContextWrapper deleteFile
Database android.content.ContextWrapper openOrCreateDatabase
Database android.content.ContextWrapper databaseList
Database android.content.ContextWrapper deleteDatabase
Database android.database.sqlite.SQLiteDatabase execSQL
Database android.database.sqlite.SQLiteDatabase insert
Database android.database.sqlite.SQLiteDatabase deleteDatabase
Database android.database.sqlite.SQLiteDatabase getPath
Database android.database.sqlite.SQLiteDatabase insertOrThrow
Database android.database.sqlite.SQLiteDatabase insertWithOnConflict
Database android.database.sqlite.SQLiteDatabase openDatabase
Database android.database.sqlite.SQLiteDatabase openOrCreateDatabase
Database android.database.sqlite.SQLiteDatabase query
Database android.database.sqlite.SQLiteDatabase queryWithFactory
Database android.database.sqlite.SQLiteDatabase rawQuery
Database android.database.sqlite.SQLiteDatabase rawQueryWithFactory
Database android.database.sqlite.SQLiteDatabase update
Database android.database.sqlite.SQLiteDatabase updateWithOnConflict
Database android.database.sqlite.SQLiteDatabase compileStatement
Database android.database.sqlite.SQLiteDatabase create
IPC android.content.ContextWrapper sendBroadcast
IPC android.content.ContextWrapper sendStickyBroadcast
IPC android.content.ContextWrapper startActivity, IPC android.content.ContextWrapper startService
IPC android.content.ContextWrapper stopService, IPC android.content.ContextWrapper registerReceiver
Binder android.app.ContextImpl registerReceiver, Binder android.app.ActivityThread handleReceiver
Binder android.app.Activity startActivity
Crypto javax.crypto.spec.SecretKeySpec init, Crypto javax.crypto.Cipher doFinal
Crypto-Hash java.security.MessageDigest digest, Crypto-Hash java.security.MessageDigest update
DeviceInfo android.net.wifi.WifiInfo getBSSID, DeviceInfo android.net.wifi.WifiInfo getIpAddress
DeviceInfo android.net.wifi.WifiInfo getNetworkId
Continued on next page

Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.
 TABLE II – continued from previous page
Category Feature
DeviceInfo android.telephony.TelephonyManager getSimCountryIso
DeviceInfo android.telephony.TelephonyManager getSimSerialNumber
DeviceInfo android.telephony.TelephonyManager getNetworkCountryIso
DeviceInfo android.telephony.TelephonyManager getDeviceSoftwareVersion
DeviceInfo android.os.Debug isDebuggerConnected
DeviceInfo android.content.pm.PackageManager getInstallerPackageName
DeviceInfo android.content.pm.PackageManager getInstalledApplications
DeviceInfo android.content.pm.PackageManager getInstalledModules
DeviceInfo android.content.pm.PackageManager getInstalledPackages
Network java.net.URL openConnection, Network org.apache.http.impl.client.AbstractHttpClient execute
Network com.android.okhttp.internal.huc.HttpURLConnectionImpl getInputStream
Network com.android.okhttp.internal.http.HttpURLConnectionImpl getInputStream
DexClassLoader dalvik.system.BaseDexClassLoader findResource
DexClassLoader dalvik.system.BaseDexClassLoader findResources
DexClassLoader dalvik.system.BaseDexClassLoader findLibrary
DexClassLoader dalvik.system.DexFile loadDex, DexClassLoader dalvik.system.DexFile loadClass
DexClassLoader dalvik.system.DexClassLoader init
Base64 android.util.Base64 decode, Base64 android.util.Base64 encode
Base64 android.util.Base64 encodeToString
SystemManager android.app.ApplicationPackageManager setComponentEnabledSetting
SystemManager android.app.NotificationManager notify
SystemManager android.telephony.TelephonyManager listen
SystemManager android.content.BroadcastReceiver abortBroadcast
SMS android.telephony.SmsManager sendTextMessage
SMS android.telephony.SmsManager sendMultipartTextMessage
DeviceData android.content.ContentResolver query
DeviceData android.content.ContentResolver registerContentObserver
DeviceData android.content.ContentResolver insert, DeviceData android.content.ContentResolver delete
DeviceData android.accounts.AccountManager getAccountsByType
DeviceData android.accounts.AccountManager getAccounts
DeviceData android.location.Location getLatitude, DeviceData android.location.Location getLongitude
DeviceData android.media.AudioRecord startRecording
DeviceData android.media.MediaRecorder start, DeviceData android.os.SystemProperties get
DeviceData android.app.ApplicationPackageManager getInstalledPackages
sessions

Authorized licensed use limited to: BOURNEMOUTH UNIVERSITY. Downloaded on June 30,2021 at 10:18:35 UTC from IEEE Xplore. Restrictions apply.