This study addresses the significant degradation in generalization performance of Android permission-based malware detection models when deployed across different data domains, primarily due to domain shift, mismatched predictive feature sets, and high instability in the importance of critical permission features. The authors systematically evaluate five ensemble classifiers on two complementary datasets, revealing that domain-specific artifacts impose a more severe constraint on generalization than feature absence. To mitigate this, they propose a hybrid training strategy based on the intersection of shared permission features. Integrating explainable AI (XAI) techniques and ablation studies, the approach improves cross-domain accuracy from 73% to 88% (PerMalDroid→NATICUSdroid), while maintaining 97% accuracy in the reverse direction, substantially enhancing model robustness for real-world deployment.

Machine learning-based Android malware detectors often fail in real-world deployment due to domain shift, where models trained on one data source perform poorly on applications from another. This paper presents a comprehensive study on the generalizability and interpretability of permission-based detectors under cross-domain conditions. Using two complementary datasets (PerMalDroid and NATICUSdroid) and five ensemble classifiers, we first establish an intra-domain baseline, where models achieve over 92% accuracy, and then quantify a severe asymmetric performance drop. While models trained on PerMalDroid generalize well to NATICUSdroid (86% accuracy), the reverse direction sees a drastic drop to 73% accuracy. Explainable AI analysis reveals bimodal feature distributions and shows that feature importance is highly unstable, with key permissions losing or gaining influence across domains. The predictive feature sets for different domains are fundamentally mismatched, as models rely on different, dataset-specific permissions. Most importantly, an ablation study demonstrates that for most models, training on a noisy feature set leads to poor generalization, confirming that domain-specific artifacts are a greater obstacle than missing features. To mitigate this, we validate a hybrid training strategy based on the intersection of common features and successfully recover cross-domain performance, achieving 88% accuracy on PerMalDroid and maintaining 97% on NATICUSdroid. These findings highlight the importance of explainable, cross-domain-robust malware detection systems and provide a practical pathway toward improving real-world deployment of permission-based Android malware detectors.