Abstract

Machine learning based solutions have been successfully employed for\nautomatic detection of malware on Android. However, machine learning models\nlack robustness to adversarial examples, which are crafted by adding carefully\nchosen perturbations to the normal inputs. So far, the adversarial examples can\nonly deceive detectors that rely on syntactic features (e.g., requested\npermissions, API calls, etc), and the perturbations can only be implemented by\nsimply modifying application's manifest. While recent Android malware detectors\nrely more on semantic features from Dalvik bytecode rather than manifest,\nexisting attacking/defending methods are no longer effective. In this paper, we\nintroduce a new attacking method that generates adversarial examples of Android\nmalware and evades being detected by the current models. To this end, we\npropose a method of applying optimal perturbations onto Android APK that can\nsuccessfully deceive the machine learning detectors. We develop an automated\ntool to generate the adversarial examples without human intervention. In\ncontrast to existing works, the adversarial examples crafted by our method can\nalso deceive recent machine learning based detectors that rely on semantic\nfeatures such as control-flow-graph. The perturbations can also be implemented\ndirectly onto APK's Dalvik bytecode rather than Android manifest to evade from\nrecent detectors. We demonstrate our attack on two state-of-the-art Android\nmalware detection schemes, MaMaDroid and Drebin. Our results show that the\nmalware detection rates decreased from 96% to 0% in MaMaDroid, and from 97% to\n0% in Drebin, with just a small number of codes to be inserted into the APK.\n