Android malware’s continuous evolution induces concept drift, causing significant performance degradation in conventional supervised detection models; meanwhile, manual labeling cannot scale to the daily influx of over 450,000 new samples. To address long-term distributional drift, we propose an efficient semi-supervised active learning framework tailored for malware analysis. Our method introduces bit-level augmentations—Bernoulli bit-flipping and masking—specifically designed for binary executables, and integrates supervised contrastive loss with a multi-criteria active sampling strategy leveraging prediction confidence, Lp-norm distance, and boundary uncertainty. Evaluated on four large-scale datasets—including LAMDA—our approach achieves superior performance using only 40% labeled data: F1-score improves by up to 14% over state-of-the-art methods, training speed accelerates 24×, and computational overhead reduces 13×. To our knowledge, this is the first work to demonstrate high-accuracy, low-label-cost adaptive malware detection under realistic, long-term concept drift.

Android malware evolves rapidly, leading to concept drift that degrades the performance of traditional machine learning (ML)-based detection systems. While recent approaches incorporate active learning and hierarchical contrastive loss to handle this drift, they remain fully supervised, computationally expensive, and perform poorly on real-world datasets with long temporal spans. In particular, our evaluation highlights these limitations, particularly on LAMDA, a 12-year longitudinal dataset exhibiting substantial distributional shifts. Moreover, manual expert labeling cannot scale with the daily emergence of over 450,000 new malware samples, leaving most samples unlabeled and underutilized. To address these challenges, we propose CITADEL, a robust semi-supervised active learning framework for Android malware detection. To bridge the gap between image-domain semi-supervised learning and binary feature representations of malware, we introduce malware-specific augmentations, Bernoulli bit flips and masking, that simulate realistic drift behaviors. CITADEL further integrates supervised contrastive loss to improve boundary sample discrimination and combines it with a multi-criteria active learning strategy based on prediction confidence, $L_p$-norm distance, and boundary uncertainty, enabling effective adaptation under limited labeling budgets. Extensive evaluation on four large-scale Android malware benchmarks -- APIGraph, Chen-AZ, MaMaDroid, and LAMDA demonstrates that CITADEL outperforms prior work, achieving F1 score of over 1%, 3%, 7%, and 14% respectively, using only 40% labeled samples. Furthermore, CITADEL shows significant efficiency over prior work incurring $24 imes$ faster training and $13 imes$ fewer operations.