Computing device to detect malware

What is claimed is: 1. A mobile computing device comprising: a processor configured with processor-executable instructions to: monitor a plurality of applications operating on the mobile computing device; log actions of the monitored applications in a log of actions; generate answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query; generate a vector information structure for each application in the plurality of applications based on the generated answers, wherein: each generated vector information structure includes a plurality of numerical values; at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application; at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and use a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values. 2. The mobile computing device of claim 1 , wherein the processor is further configured with processor-executable instructions to: restrict an application from usage in response to determining that the behavior characterized by the vector information structure associated with the application is not benign. 3. The mobile computing device of claim 1 , wherein the processor is configured with processor-executable instructions to perform operations such that generating answers to queries regarding the actions stored in the log of actions includes: generating at least one answer to an existence query, an amount query, or an order query. 4. The mobile computing device of claim 3 , wherein the processor is configured with processor-executable instructions to perform operations such that generating answers to queries regarding the actions stored in the log of actions further comprises: generating at least one answer to: a query regarding an observed behavior; and a query regarding an expected behavior. 5. The mobile computing device of claim 1 , wherein the processor is further configured with processor-executable instructions to analyze device-independent actions. 6. The mobile computing device of claim 1 , wherein the processor is further configured with processor-executable instructions to analyze device-dependent actions. 7. The mobile computing device of claim 6 , wherein the processor is configured with processor-executable instructions to perform operations such that analyzing the device-dependent actions comprises analyzing a combination of: application installation information; device information; communications information; and user interaction information. 8. A method of analyzing a plurality of applications operating on a mobile computing device, the method comprising: monitoring the plurality of applications operating on the mobile computing device via a processor of the mobile computing device; logging actions of the monitored applications in a log of actions via the processor of the mobile computing device; generating answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query; generating, by the processor, a vector information structure for each application in the plurality of applications based on the generated answers, wherein: each generated vector information structure includes a plurality of numerical values; at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application; at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and using by the processor a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values. 9. The method of claim 8 , further comprising restricting an application from usage in response to determining that the behavior characterized by the vector information structure associated with the application is not benign. 10. The method of claim 8 , wherein generating answers to queries regarding the actions stored in the log of actions includes: generating at least one answer to an existence query, an amount query, or an order query. 11. The method of claim 10 , wherein generating answers to queries regarding the actions stored in the log of actions further comprises: generating at least one answer to: a query regarding an observed behavior; and a query regarding an expected behavior. 12. The method of claim 8 , further comprising analyzing device-independent actions. 13. The method of claim 8 , further comprising analyzing device-dependent actions. 14. The method of claim 13 , wherein analyzing the device-dependent actions further comprises analyzing a combination of: application installation information; device information; communications information; and user interaction information. 15. A non-transitory computer-readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a mobile computing device to perform operations comprising: monitoring a plurality of applications operating on the mobile computing device; logging actions of the monitored applications in a log of actions; generating answers to queries regarding the actions stored in the log of actions, the answers including an answer to a category query; generating a vector information structure for each application in the plurality of applications based on the generated answers, wherein: each generated vector information structure includes a plurality of numerical values; at least one numerical value in the plurality of numerical values identifies a number of occurrences of an action by an application; at least one numerical value in the plurality of numerical values indicates a category for the application based on the answer to the category query; and the plurality of numerical values in each generated vector information structure collectively characterize a behavior of one application in the plurality of applications; and using a machine learning classifier to determine whether the behavior characterized by each vector information structure is benign based on the plurality of numerical values. 16. The non-transitory computer-readable storage medium of claim 15 , wherein the stored processor-executable software instructions are configured to cause a processor of the mobile computing device to perform operations further comprising: restricting an application from usage in response to determining that the behavior characterized by the vector information structure associated with the application is not benign. 17. The non-transitory computer-readable storage medium of claim 15 , wherein the stored processor-executable software instructions are configured to cause a processor of the mobile computing device to perform operations such that includes: generating at least one answer to an existence query, an amount query, or an