Abstract
Android malware evolves continuously, inducing concept drift that erodes the accuracy of learned detectors a challenge intensified in federated learning (FL), where non-IID and asynchronously shifting client data can destabilize aggregation despite privacy preservation. To address this limitation, this study proposes FL-MalDrift, a drift resilient federated framework integrating lightweight on device drift detection (ADWIN, DDM, EDDM, HDDM) with adaptive participation control. Each client mitigates local drift before contributing updates, while a server side controller regulated through exponentially weighted moving average (EWMA) smoothed drift scores selectively aggregates stable updates using FedAvg or FedSGD. Experiments on benchmark Android malware datasets demonstrate that FL-MalDrift achieves 94.7% accuracy on Drebin, 96.8% on CICMalDroid 2020, and 92.4% on a chronological AndroZoo split, with modest overhead. The framework stabilizes training under client heterogeneity, filtering drift-affected updates while maintaining privacy. By coupling client side drift detection with dynamic participation control, FL-MalDrift establishes a scalable and privacy preserving foundation for robust malware detection in non-stationary environments. Future work will integrate calibrated differential privacy budgets, compression-aware aggregation, and large scale device validation.