Securing a mobile device against malware may include an analysis of events executing on the mobile device to detect and identify unexpected behaviors and events, and further determining whether these unexpected behaviors and events are authorized or unauthorized. Specific runtime events may be compared to patterns of expected user input/interaction on the mobile device, or generalized background behavior patterns occurring without user input/interaction, to determine whether events are expected or unexpected, and/or to determine whether events are authorized or potentially malicious. Examples of unexpected and potentially malicious events on mobile devices, particularly when they occur without specific user interaction, may include making phone calls, accessing or making changes to the contacts/phone book, accessing user habits such as browser settings/history and other communication logs, accessing files, accessing the camera and audio, and so forth.