It will steal in the course user enters password or when password is still in RAM.
No way for malware to steal password which is not in the phone's memory (or in some file)./
It depends. Depends on how your system is designed, certain are cached beyond the shortlived timespan in your RAM. RAM access in OS differs and some are not overwritten properly after use. AES is a good encryption, DES aren't, so that has to be taken into account as well.
Regardless, that would still be a risky assumption to take. Unencrypting the wallet file and any processes that takes place should be accounted for.
It has happened before, and I have no doubt that it would happen again.
In regard to entropy, yeah, when this term is applied to password it's just reflection of quantity of attempts needed for successful bruteforcing.
Not exactly. Entropy is often misconstrued when talking about the complexity of passwords. Its a term used to measure randomness. This can be flawed when taking into account password dumps, rainbow tables, common password structures, etc.