In this paper, we present a distributed anomaly detection system for mobile devices. The proposed framework realizes a client-server architecture, the client continuously extracts various features of mobile device and transfers to the server, and the server's major task is to detect anomaly using state-of-art detection algorithms. According to the regularity of human daily activity and the periodic of using mobile device, we also propose a novel user behavior cycle based statistical approach, in which the abnormal is determined by the distance from the undetermined feature vector to the similar time segments' vectors of previous cycles. We use the Mahalanobis distance as distance metric since it is rarely affected by the correlate and value range of features. Evaluation results demonstrated that the proposed framework and novel anomaly detection algorithm could effectively improve the detection rate of malwares on mobile devices.