A malicious Android application often consists of a benign part which is the body of the application, and a malicious part that is added later, by repackaging. Fast and efficient analysis of Android malware depends on the ana-lyst’s ability to quickly locate malicious code and have a clear representation of it. To do this, the analysis tools must allow the suspicious code to be quickly located and isolated from the rest of the application. In this article, we propose in a first part to synthesize recent works from the literature and to refresh older research works in order to highlight the discriminating characteristics of malicious code. Then, we propose a heuristic to reveal the suspicious methods of an Android application by static analysis. Finally, we discuss an algorithm to recover the malicious graft. This graft should contain the methods considered suspicious as well as the code calling these suspicious methods.