Privacy theft malware has become a serious and challenging problem to cyber security. Previous methods are of different categories: one focuses on the outbound network traffic and the other one dives into the inside information flow of the program. We incorporate dynamic behavior analysis with network traffic analysis and present an abstract model called Privacy Petri Net (PPN), which is more applicable to various kinds of malware and more understandable to users. In consideration of the multi-process technique adopted by new malware, we also model the collaborative behaviors between different malicious functionality modules with PPN. We apply our approach to real-world malware, and the experiment result shows that our approach can effectively find categories, content, source, and destination of the privacy theft behavior of the malware sample. Copyright © 2013 John Wiley & Sons, Ltd.