📝 SummarXiv

Abstract

Android malware detection continues to face persistent challenges stemming from long-term concept drift and class imbalance, as evolving malicious behaviors and shifting usage patterns dynamically reshape feature distributions. Although continual learning (CL) mitigates drift, existing replay-based methods suffer from inherent bias. Specifically, their reliance on classifier uncertainty for sample selection disproportionately prioritizes the dominant benign class, causing overfitting and reduced generalization to evolving malware. To address these limitations, we propose a novel uncertainty-guided CL framework. First, we introduce a hierarchical balanced sampler that employs a dual-phase uncertainty strategy to dynamically balance benign and malicious samples while simultaneously selecting high-information, high-uncertainty instances within each class. This mechanism ensures class equilibrium across both replay and incremental data, thereby enhancing adaptability to emerging threats. Second, we augment the framework with a vector retrieval mechanism that exploits historical malware embeddings to identify evolved variants via similarity-based retrieval, thereby complementing classifier updates. Extensive experiments demonstrate that our framework significantly outperforms state-of-the-art methods under strict low-label conditions (50 labels per phase). It achieves a true positive rate (TPR) of 92.95\% and a mean accuracy (mACC) of 94.26\%, which validates its efficacy for sustainable Android malware detection.