As will be described in more detail below, system 300 is configured to perform a hybrid, two part analysis on mobile device applications. First, static analysis is performed, in part to check the capabilities of the application (e.g., its potential avenues for being malicious). Then, dynamic analysis is performed to check whether the application actually uses the capabilities maliciously. The hybrid approach helps improve the accuracy of mobile malware detection, while lowering the false positive rate of mislabeling benign application files as malware (e.g., due to harmless but poor programming techniques on the part of the application's author). A final verdict pertinent to the application can be made based on both the application's content (e.g., where the application includes a URL verified to be a malicious website), and on the context in which it behaves (e.g., whether the usage of a suspicious capability is made aware to an end user or is performed silently in the background).

In various embodiments, system 300 makes use of lists, databases, or other collections of known safe content and/or known bad content (collectively shown in FIG. 3 as collection 314). Collection 314 can be obtained in a variety of ways, including via a subscription service (e.g., provided by a third party) and/or as a result of other processing (e.g., performed by data appliance 102 and/or service 122). Examples of information included in collection 314 are: URLs of known malicious websites; URLs of known safe websites; signatures, hashes, and/or other identifiers of known malicious applications; and signatures, hashes, and/or other identifiers of known safe applications; and signatures, hashes, and/or other identifiers of known malicious files (e.g. Android exploits files).

Ingestion