Android malware concept drift using system calls: Detection, characterization and challenges

•Demonstrates the existence of concept drift issues in Android malware detection.•Proposes a novel detection system to address concept drift in Android malware.•Demonstrates the usefulness of a small set of system calls as detection features.•Compares the impact and usefulness of different timestamps to handle concept drift.•Performs the characterization of the observed concept drift. The majority of Android malware detection solutions have focused on the achievement of high performance in old and short snapshots of historical data, which makes them prone to lack the generalization and adaptation capabilities needed to discriminate effectively new malware trends in an extended time span. These approaches analyze the phenomenon from a stationary point of view, neglecting malware evolution and its degenerative impact on detection models as new data emerge, the so-called concept drift. This research proposes a novel method to detect and effectively address concept drift in Android malware detection and demonstrates the results in a seven-year-long data set. The proposed solution manages to keep high-performance metrics over a long period of time and minimizes model retraining efforts by using data sets belonging to short periods. Different timestamps are evaluated in the experimental setup and their impact on the detection performance is compared. Additionally, the characterization of concept drift in Android malware is performed by leveraging the inner workings of the proposed solution. In this regard, the discriminatory properties of the important features are analyzed at various time horizons.