The invention relates to a method for detecting Android malicious software by means of a random forest classifier in real time. The method comprises the steps of 1 collecting network data, 2 calling data flow through an application program interface for grouping, 3 extracting data flow minimum unit, 4 extracting calling sequence characteristics, 5 training a hidden Markov model, 6 training a random forest model, 7 extracting application program interface data flow characteristics of a to-be-detected sample, 8 inputting feature vectors of the to-be-detected sample into a random forest detection model and judging whether or not output of a field network characteristic detection model is the malicious software category and 9 outputting the malicious software category corresponding to the to-be-detected sample. Accordingly, the malicious software can be detected in real time, software transmitted in the network can be detected, and the good detection accuracy rate is achieved.