CopperDroid represents our initial research effort to automatically perform out-of-the-box dynamic behavioral analysis of Android malware (and apps in general). The novelty of CopperDroid lies in its agnostic approach to identify interesting OS- and high-level Android-specific behaviors. It reconstructs these behaviors by observing and dissecting system calls and, therefore, is resistant to the multitude of alterations the Android runtime is subjected to over its life-cycle. CopperDroid automatically and accurately reconstructs events of interest that describe, not only well-known process-OS interactions (e.g., file and process creation), but also complex intra- and inter-process communications (e.g., SMS reception), whose semantics are typically contextualized through complex Android objects. Because CopperDroid's reconstruction mechanisms are agnostic to the underlying action invocation methods, it is able to capture actions initiated both from Java and native code execution. CopperDroid's analysis generates detailed behavioral profiles that abstract a large stream of low-level&emdash;often uninteresting&emdash;events into concise, high-level semantics, which are well-suited to provide insightful behavioral traits and open the possibility to further research directions. We carried out an extensive evaluation to assess the capabilities and performance of CopperDroid on more than 2,900 Android malware samples. Our experiments show that CopperDroid faithfully reconstructs OSand Android-specific behaviors. Additionally, we demonstrate how CopperDroid can be leveraged to disclose additional behaviors through the use of a simple, yet effective, app stimulation technique. Using this technique, we successfully triggered and disclosed additional behaviors on more than 60% of the analyzed malware samples. This qualitatively demonstrates the versatility of CopperDroid's ability to improve dynamic-based code coverage.

The initial implementation of CopperDroid, described in our EuroSec 2012 paper, was in collaboration with the Security Lab of University of Milan.


  • CopperDroid: Automatic Reconstruction of Android Malware Behaviors Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro 22nd Annual Network and Distributed System Security Symposium, NDSS 2015 San Diego, California, USA, February 8-11, 2015 (To Appear) [PDF]
  • A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors Alessandro Reina, Aristide Fattori, and Lorenzo Cavallaro In the Proceedings of the 6th European Workshop on Systems Security (EuroSec) Prague, Czech Republic, April 14, 2013 [PDF] [BibTeX]

For more information, bug reports, and whatnot you can contact us at:

GPG key here (Fingerprint: 0E79 B01A 4133 1C7D 0E46 F847 9F14 7B25 FC14 BC05)

By submitting an Android .apk sample to our system, you automatically grant us the right to use such sample for our present and future research activities.

Please note that reports are produced in the hope they will be useful, but WITHOUT any warranty about their accurateness and completeness.


We would like to thanks Lorenzo Flore and Mauro Matteo Cascella for their support to the project.

Royal Holloway University of London