With the popularity of smart phones, Android has a large number of users. Android allows download and installation of other unofficial healthcare system applications, so it has attracted the attention of malware developers for healthcare system. However, most of the papers proposed a variety of different methods to improve accuracy, and the samples tested by each method in the experimental part are different, which may cause errors in comparison. It shows that permission is an important of the development as mobile phone storage. Therefore, this paper proposed Android’s Permission and application program interface (API) as two features to perform machine learning to detect malicious programs business intelligence. It also uses machine learning method and other two algorithms to detect malicious programs. The average accuracy of using hybrid detection of unknown malicious programs reaches 89%, and the hit rate near 90%. The results show that under the same sample situation, the accuracy rate of the hybrid method used Random Forest is higher than the other two analyses. Compared with the dynamic analysis with others, it used the hybrid method and dynamic analysis has a high accuracy rate. The contribution of this paper is as follows: the advantage of static detection is that it does not need to execute Android application package (APK) features be extracted, and the speed is the fastest among the three detection modules. The features of dynamic detection for healthcare system are generated through the executed APK, and more powerful features can be extracted. Hybrid detection uses two method features, and extract most advantageous features to generate detection modules to detect APKs. The accuracy of static results about 87% in average, 88% for dynamic, and 89% for hybrid.