A trained classifier is received from a server. Static analysis is performed on a mobile application to generate a vector storing values representing the number of times the mobile application calls functions from each of multiple namespaces, and an indication of the permissions the mobile application requests. The received trained classifier is then applied to the generated vector to identify whether the mobile application contains malware. Based on the output of the trained classifier, a security policy is applied.