Android users are now suffering serious threats from unwanted behaviors of various apps. The analysis of apps’ audit logs is one of the critical methods for device manufacturers to unveil the underlying malice of apps. We propose and implement DroidHolmes, a novel system that recovers contextual information of app behaviors around limited-quantity audit logs. The key module of DroidHolmes is identifying the path matched with logs on the app’s control-flow graph (CFG). The challenge, however, is that the limited-quantity logs may incur high computational complexity in the log matching, where there are a large number of candidates caused by the coupling relation in matching successive logs. To address the challenge, we propose a divide and conquer algorithm to individually position each node on the CFG matched with logs. In our experiments, DroidHolmes recovers the contextual information in the behaviors of real-world apps. Meanwhile, DroidHolmes incurs negligible performance overhead on smartphones.