This study investigates the impact of concept drift—induced by Android system updates that deprecate or restrict permissions—on the performance of malware detection models. We propose a concept drift detection framework integrating inter-annual distribution analysis and the Kolmogorov–Smirnov test, and systematically evaluate diverse machine learning and CNN models on a large-scale, balanced permission dataset. Key contributions: (1) Permission deprecation per se has limited negative impact on detection accuracy; removing deprecated permissions even improves CNN performance; (2) abrupt distributional shifts in deprecated permissions serve as effective early indicators of concept drift; (3) dataset balancing significantly enhances model robustness and drift detectability. Our findings demonstrate the sustained discriminative power of permission features under dynamic Android ecosystem evolution, and provide an interpretable, deployable methodology for concept-drift-aware Android security analytics.

Permission analysis is a widely used method for Android malware detection. It involves examining the permissions requested by an application to access sensitive data or perform potentially malicious actions. In recent years, various machine learning (ML) algorithms have been applied to Android malware detection using permission-based features and feature selection techniques, often achieving high accuracy. However, these studies have largely overlooked important factors such as protection levels and the deprecation or restriction of permissions due to updates in the Android OS -- factors that can contribute to concept drift. In this study, we investigate the impact of deprecated and restricted permissions on the performance of machine learning models. A large dataset containing 166 permissions was used, encompassing more than 70,000 malware and benign applications. Various machine learning and deep learning algorithms were employed as classifiers, along with different concept drift detection strategies. The results suggest that Android permissions are highly effective features for malware detection, with the exclusion of deprecated and restricted permissions having only a marginal impact on model performance. In some cases, such as with CNN, accuracy improved. Excluding these permissions also enhanced the detection of concept drift using a year-to-year analysis strategy. Dataset balancing further improved model performance, reduced low-accuracy instances, and enhanced concept drift detection via the Kolmogorov-Smirnov test.