A computer-implement method of detecting malware apps includes receiving a sample app for a mobile operating system. The sample app is executed in an emulator of the mobile operating system. The behavior of the sample app in the emulator is monitored to collect a string that the sample app uses to detect whether or not a target app is running in a foreground of the emulator. A bait app, which is generated using the collected string, is switched to run in the foreground. The sample app is deemed to be a malware app when the sample app instead of the bait app is running in the foreground.