Most of the research on malware identification is based on the application program interface (API) call, but most of the current API based research does not consider the state of the device. However, the device state can directly reflect the running environment of the program, such as human operation or program automation, and it plays an important role in the analysis of application behavior. In this paper, a sensor based application behavior recognition technology is proposed. Firstly, the realtime status of the device is judged by the sensor data. Secondly, the algorithm is designed to identify the malicious application behavior using the multiple time series data generated by combining the API call time series and the first screen time series of graphical user interface (GUI). Finally, the malicious behavior analysis prototype system is designed and implemented, and it includes the functions of static piling, dynamic behavior monitoring and realtime status collection of sensors. Typical cases were selected to verify the accuracy of the proposed method, and the black box test was performed to verify the effectiveness of the malicious application identification method in this paper.