At present, most benign applications in the Android market adopt a shelling method to protect themselves from being decompiled so that the detection of malicious applications can only rely on the permissions from AndroidMnifest.xml. However, the machine-learning-based classification algorithm based on permission features has a poor detection effect because of a small difference between malicious applications and benign applications. If a more fine-grained Application Program Interface (API) is taken as a feature, a serious imbalance in the number of positive and negative samples will be caused due to application shelling. In response to the above problems, with a large number of malicious applications as training samples and some benign applications as the point of novelty, we use the one-class SVM algorithm to establish a detection model for malicious applications. Compared with two-class supervised learning, this method can effectively distinguish malicious applications from benign applications, which has practical significance.