The invention relates to a malicious application detection method and system. The method comprises the steps of S1, performing static code scanning on a received to-be-detected application, analyzing whether the application has a malicious behavior conforming to any malicious behavior information in a malicious behavior information library or not based on three dimensions of right application, function call and information output, if the malicious behavior exists, marking the application as a suspected malicious application, and if the malicious behavior does not exist, marking the application as a normal application; and S2, performing application name, package name, signature certificate, directory structure, text file and image file-based similarity analysis between the application marked as the suspected malicious application and a malicious application sample in a malicious application sample library, and marking the application with the similarity conforming to a set value as a malicious application. According to the method and the system, the performance bottleneck of loading the application through a virtual machine for execution and analysis is avoided, the false alarm rate is effectively reduced, and the accuracy of identification is improved.