Android malware detection systems suffer severe performance degradation over time due to concept drift caused by evolving malicious and benign app behaviors. Although recent methods leverage active learning and hierarchical contrastive loss to address drift, they remain fully supervised, computationally expensive, and ineffective on long-term real-world benchmark. Moreover, expert labeling does not scale to the monthly emergence of nearly 300K new Android malware samples, leaving most data unlabeled and underutilized. To address these challenges, we propose CITADEL, a semi-supervised active learning framework for Android malware detection. Existing semi-supervised methods assume continuous and semantically meaningful input transformations, and fail to generalize well to high-dimensional binary malware features. We bridge this gap with malware-specific augmentations, Bernoulli bit flips and feature masking, that stochastically perturb feature to regularize learning under evolving malware distributions. \system further incorporates supervised contrastive loss to improve boundary sample discrimination and combines it with a multi-criteria active learning strategy based on prediction confidence, $L_p$-norm distance, and boundary uncertainty, enabling effective adaptation under constrained labeling budgets. Extensive evaluation on four large-scale Android malware benchmarks -- APIGraph, Chen-AZ, MaMaDroid, and LAMDA, demonstrates that \system outperforms prior work, achieving F1 score of over 1\%, 3\%, 7\%, and 14\% respectively, using only 40\% labeled samples. Furthermore, \system shows significant efficiency over prior work incurring $24\times$ faster training and $13\times$ fewer operations. \paragraph{Availability} The code is available at https://github.com/IQSeC-Lab/CITADEL.git.

翻译：由于恶意和良性应用行为不断演变导致的概念漂移，Android恶意软件检测系统会随时间推移出现严重的性能下降。尽管近期方法利用主动学习和层次对比损失来解决漂移问题，但它们仍完全依赖监督、计算成本高昂，且在长期真实世界基准测试上效果不佳。此外，专家标注无法应对每月近30万个新Android恶意软件样本的出现，导致大部分数据未被标注和充分利用。为应对这些挑战，我们提出了CITADEL，一个用于Android恶意软件检测的半监督主动学习框架。现有的半监督方法假设存在连续且语义有意义的输入变换，难以良好地泛化到高维二进制恶意软件特征。我们通过恶意软件特定的数据增强方法——伯努利比特翻转和特征掩码——来弥合这一差距，这些方法随机扰动特征以在演化的恶意软件分布下正则化学习。CITADEL进一步结合了监督对比损失以改善边界样本的区分度，并将其与基于预测置信度、$L_p$范数距离和边界不确定性的多准则主动学习策略相结合，从而在有限的标注预算下实现有效适应。在四个大规模Android恶意软件基准测试——APIGraph、Chen-AZ、MaMaDroid和LAMDA——上的广泛评估表明，CITADEL优于先前工作，仅使用40%的标注样本，F1分数分别提高了超过1%、3%、7%和14%。此外，CITADEL展现出显著的效率优势，训练速度比先前工作快$24$倍，操作次数减少$13$倍。\paragraph{可用性} 代码可在 https://github.com/IQSeC-Lab/CITADEL.git 获取。