A system identifies whether a mobile device is compromised. The system includes mobile devices, a communication network, and a server. Each mobile device includes a processor, a power supply, and a network interface. The processor executes an operating system and applications including a monitor application. The power supply indicates the power consumed by the mobile device during executing the operating system and the applications. The network interface transfers information to and from the mobile device via a communication network. This transferred information includes logs securely collected by the monitor application. The logs can include a log of the system calls, a log of the power consumed, and a log of network activity. The server receives the logs from the mobile devices and generates a correlation among the logs, and the server identifies at least one mobile device that is an outlier in the correlation as a compromised mobile device.