With　the　rapid　development　of　Android-based　smart　phones　and　pads,　android　applications　show　explosive　growth.　Because　third-party　application　market　regulation　is　lax,　many　normal　applications　are　embedded　malicious　code　and　then　many　security　issues　occur.　The　existing　antivirus　software　cannot　intercept　malicious　behaviors　from　those　repackaged　applications　in　many　cases.　To　solve　these　problems,　we　propose　a　new　method　called　RbacIP,　which　integrates　RBAC　into　intercept　and　disposal　process　of　malicious　android　applications.　In　RbacIP,　the　malicious　behaviors　of　applications　are　monitored　by　inserting　Linux　kernel　function　call　dynamically.　Exploiting　the　Netlike　technology,　the　information　of　malicious　behaviors　are　feedback　from　the　kernel　layer　to　the　user　layer.　On　the　user　layer,　depending　on　the　roles　assigned,　android　applications　are　authorized　to　the　corresponding　permissions.　According　to　the　characteristics　of　RBAC,　it　can　achieve　the　minimum　authorization　for　malicious　applications.　Meanwhile,　to　balance　the　user　experience　and　his　privacy　protection　needs,　users　are　allowed　to　make　fine-grained　decision　based　on　RBAC　policy,　rather　than　permit　or　prohibit.　Finally,　we　implemented　RbacIP　in　real　android　platform.　Comprehensive　experiments　have　been　conducted,　which　demonstrate　the　effectiveness　of　the　proposed　method　by　the　comparison　with　traditional　HIPS　systems　at　the　malicious　programs　detection　performance　and　resource　consumption.　©　Springer　International　Publishing　Switzerland　2016.