Android, as a modern popular open source mobile platform, makes its security issues more prominent, especially in user privacy leakage. In this paper, we proposed a twostep model which combines static and dynamic analysis approaches. During the static analysis, permission combination matrix is used to determine whether an application has potential risks. For those suspicious applications, based on the reverse engineering, embed monitoring Smali code for those sensitive APIs such as sending SMS, accessing user location, device ID, phone number, etc. From experiments, it shows that almost 26% applications in Android market have privacy leakage risks. And our proposed method is feasible and effective for monitoring these kind of malicious behavior.