We suggest a collaborative approach for revealing malicious behaviors on Android smartphones by which monitoring four observable parts: (i) network usages (ii) network connections, (iii) APIs and (iv) permissions. Therefore, we have designed a detection system which consists of four engines: network behavior analysis engine, host domain reputation analysis engine, critical API call pattern analysis engine, and Android permissions use analysis engine. Each of them monitors its specific part from Android apps and independently detects malicious behavior and, given the information from four engines, the correlator determines a final decision. Finally, to show efficiency, we have evaluated our system with real world 1,621 apps. (C) 2017 John Wiley & Sons, Ltd.