Smartphone platforms are becoming increasingly complex, which gives way to software vulnerabilities difficult to identify and that might allow malware developers to gain unauthorized privileges through technical exploitation. However, we maintain that these type of attacks indirectly renders a number of unexpected behaviors in the system that can be profiled. In this work we present CoME, an anomaly- based methodology aiming at detecting software exploitation in Android systems. CoME models the normal behavior of a given software component or service and it is capable of identifying any unanticipated behavior. To this end, we first monitor the normal operation of a given exploitable component through lightweight virtual introspection. Then, we use a multivariate analysis approach to estimate the normality model and detect anomalies. We evaluate our system against one of the most critical vulnerable and widely exploited services in Android, i.e., the mediaserver. Results show that our approach can not only provide a meaningful explanatory of discriminant features for illegitimate activities, but can also be used to accurately detect malicious software exploitations at runtime.