Disclosed is an android malicious code detection device and method based on dynamic activation and behavior monitoring. According to the device, behaviors of a cellphone terminal automatically installing and starting an application to be detected and automatically activating the application are controlled; meanwhile, during the whole running process of the application, information of the cellphone terminal, such as file access, short message sending, network connection, traffic, system resource usage and hardware resource access, is monitored in real time, malicious behaviors of malicious codes are detected, a detection report is generated and provided for a user, and behaviors of the application under detection are dynamically detected. The device comprises an application behavior dynamic activation module, an application behavior real-time monitoring module and a detection result analysis module. The device and the method have the innovative advantages that all control and interface operations are achieved for the application by a software interaction technology, all application behaviors are dynamically activated, all-function automatic monitoring and detection is achieved for the application on the premise of finishing self-functions, and detection can be comprehensive and complete.