CITADEL: A Semi-Supervised Active Learning Framework for Malware Detection Under Continuous Distribution Drift

Android malware detection systems suffer severe performance degradation over time due to concept drift caused by evolving malicious and benign app behaviors. Although recent methods leverage active learning and hierarchical contrastive loss to address drift, they remain fully supervised, computationally expensive, and ineffective on long-term real-world benchmark. Moreover, expert labeling does not scale to the monthly emergence of nearly 300K new Android malware samples, leaving most data unlabeled and underutilized.