top of page

How I Learned To Stop Worrying And Love Android Malware

Hello everyone,

I am Nitin yadav(KD) back again with another write-up

What is a Malware?

Malware is a type of malware that can harm your computer or mobile device. Malware can come in many forms, including viruses, trojans, worms, and spyware.

Malware can do a variety of bad things to your computer, including altering your computer’s settings, stealing your data, and slowing down your computer.

Malware can also spread through your computer networks, infecting other computers.

Malware can also infect your mobile device, including your phone, tablet, or laptop.

Malware can steal your data, send you unwanted messages, and even take over your mobile device.

There are many different types of Malware

What is Malware analysis?

Malware analysis is the process of studying the behavior of malware and understanding how it works.

This information can be used to help protect systems from malware and to identify and track malicious actors.

One of the first steps in malware analysis is understanding the malware itself.

Malware can be small, executable files that perform a specific task, or it can be a program that installs other programs on a system.

Once the malware is understood, analysis begins by looking at its behavior.

This includes studying the ways in which the malware infects systems,

how it communicates with its command and control (C&C) servers,

and what kind of data it collects.

Malware Analysis Tool


It s a Python tool for analyzing Android applications (APKs) for potential malware-related behavior and configurations.

When provided with a path to an application (APK file) Droid Detective will make a prediction (using its ML model) if the application is malicious.

Features and qualities of Droid Detective include:

  • Analyzing which of ~330 permissions are specified in the application's AndroidManifest.xml file.

  • Analyzing the number of standard and proprietary permissions in use in the application's AndroidManifest.xml file.

  • Using a RandomForest machine learning classifier, trained off the above data, from ~14 malware families and ~100 Google Play Store applications.

Installation of the tool

This Section will show you how to install the tool in your system

  • First of all, you need to download the tool from here

  • Now the dependencies can be installed manually or via the requirements file

It has been tested on

  • Windows 10

  • Ubuntu 18.0 LTS

How to use the tool

DroidDetective can be run by providing the Python file with an APK as a command line parameter

If an apk_malware.model file is not present, then the tooling will first train the model and will require a training set of APKs in both a folder at the root of the project called malware and another called normal.

Once run successfully a result will be printed onto the CLI on if the model has identified the APK to be malicious or benign.

As shown below:

An additional parameter can be provided to as a JSON file to save the results to. If this JSON file already exists the results of this run will be appended to the JSON file.

An example of this output Json is as follows:

Data Science | The ML Model

DroidDetective is a Python tool for analyzing Android applications (APKs) for potential malware-related behavior.

This works by training a Random Forest classifier on information derived from both known malware APKs and standard APKs available on the Android app store.

This tooling comes pre-trained, however, the model can be re-trained on a new dataset at any time.

This model currently uses permissions from an APKs AndroidManifest.xml file as a feature set.

his works by creating a dictionary of each standard Android permission and setting the feature to 1 if the permission is present in the APK.

Similarly, a feature is added for the number of permissions in use in the manifest and for the number of unidentified permissions found in the manifest.

The pre-trained model was trained off approximately 14 malware families (each with one or more APK files), located from ashisdb's repository, and approximately 100 normal applications located in the Google Play Store.


Malware analysis is a necessary part of cybersecurity, but it can be a complex and time-consuming process.

This tool makes malware analysis a bit easy.

Hopefully, this post has given you some insight into analyzing android applications for malware.

I highly recommend DroidDetective if you're looking to get started in this area,

I hope the above article has been interesting and I would like to encourage our reader to further explore the tool.

If you like the blog please comment down below😊

I see you next time :)

Take care and stay safe!

242 views0 comments