The invention discloses a kernel level rootkit detection method in an Andriod system, comprising the following steps of statically obtaining an address and a table entry of a system call table; entering into a kernel mode from a user mode; dynamically obtaining the address of the system call table; if the addresses are not matched, then generating an intrusion reporting; obtaining a pure address of the system call table; if the system call table is not matched, then generating the intrusion reporting and restoring; intercepting a module name called by a module loading function, retrieving the dynamically loaded module name, if the name is not matched, then deleting the hidden module, and generating the intrusion reporting; obtaining all the progress information actually loaded by a system to be detected, and obtaining all the progress information by using a command query, if the progress information is not matched, then eliminating the malicious processes and generating the intrusion reporting. The invention also discloses a rootkit detection system, which can detect the intruded rootkit and delete the rootkit with an illegal act, so as to improve the safety and reliability of the system.