How do we know a program does what it claims to do? In this talk I will present CHABADA, our technique to detect suspicious behavior in Android apps. After clustering Android apps by their description topics, we identify outliers in each cluster with respect to their API usage. A “weather” app that sends messages thus becomes an anomaly; likewise, a “messaging” app would typically not be expected to access the current location. Applied on a set of 22,500+ Android applications, CHABADA identified several anomalies; additionally, it flagged over 70% of novel malware as such, without requiring any training on known malware patterns.