Concerning the constrained resources and low detection rate of Android, a software behavior dynamic monitoring framework based on ROM was constructed by considering behavior characteristics of Android in installation mode, trigger mode and malicious load, and the effectivenesses of Support Vector Machine (SVM), decision tree, k-Nearest Neighbor (KNN) and Naive Bayesian (NB) classifier were evaluated using information gain, chi square test and Fisher Score. The results of evaluation on overall classification of the behavior log of 20916 malicious samples and 17086 normal samples show that SVM has the best performance in the detection of malicious software, its accuracy rate can reach 93%, and the False Positive Rate (FPR) is less than 2%. It can be applied to the online cloud analysis environment and detection platform, as well as meeting the needs of mass sample processing.