ShadowDroid: Practical Black-box Attack against ML-based Android Malware Detection

Abstract

Machine learning (ML) techniques have been widely deployed in the field of Android malware detection. On the other hand, ML-based malware detection also faces the threat of adversarial attacks. Recently, some research has demonstrated the possibility of such attacks under the settings of white-box or grey-box. However, a more practical threat model - black-box adversarial attack has not been well validated and evaluated. In this paper, we bridge this research gap and propose a black-box adversarial attack approach, ShadowDroid, against ML-based Android malware detection. On a high level, ShadowDroid tries to construct a substitute model of the target malware detection system. Utilizing this substitute model, we can identify and modify the key features of a malicious app to generate an adversarial sample. During the experiment, we evaluated the effectiveness of ShadowDroid against nine ML-based Android malware detection frameworks. It achieved successful malware evading on five platforms. Based on these results, we also discuss how to design a robust malware detection system to prevent adversarial attacks.