Android is a very attractive platform for malware developers because it is widely used. There is a need to understand how malware works and how it can exploit a system's security architecture. To do so, this work decompiles Android malware applications to study their source code and to look for patterns, regarding instructions, method calls, and permission usage. The goal is to define a set of instruction-based signatures that identify dangerous behavior and to use the identified signatures as a base for developing tools for code analysis.