Over the last decade, researchers have extensively explored the vulnerabilities of Android malware detectors to adversarial examples through the development of evasion attacks; however, the practicality of these attacks in real-world scenarios remains arguable. The majority of studies have assumed attackers know the details of the target classifiers used for malware detection, while in reality, malicious actors have limited access to the target classifiers. This paper introduces EvadeDroid, a practical decision-based adversarial attack designed to effectively evade black-box Android malware detectors in real-world scenarios. In addition to generating real-world adversarial malware, the proposed evasion attack can also preserve the functionality of the original malware applications (apps). EvadeDroid constructs a collection of functionality-preserving transformations derived from benign donors that share opcode-level similarity with malware apps by leveraging an n-gram-based approach. These transformations are then used to morph malware instances into benign ones via an iterative and incremental manipulation strategy. The proposed manipulation technique is a novel, query-efficient optimization algorithm that can find and inject optimal sequences of transformations into malware apps. Our empirical evaluation demonstrates the efficacy of EvadeDroid under soft- and hard-label attacks. Furthermore, EvadeDroid exhibits the capability to generate real-world adversarial examples that can effectively evade a wide range of black-box ML-based malware detectors with minimal query requirements. Finally, we show that the proposed problem-space adversarial attack is able to preserve its stealthiness against five popular commercial antiviruses, thus demonstrating its feasibility in the real world.

翻译：过去十年间，研究者通过发展逃逸攻击广泛探索了安卓恶意软件检测器面对对抗样本时的脆弱性；然而，这些攻击在实际场景中的实用性仍存在争议。多数研究假设攻击者了解用于恶意软件检测的目标分类器的细节，而现实中恶意行为者对目标分类器的访问权限十分有限。本文提出EvadeDroid——一种基于决策的实用对抗攻击方法，旨在真实场景中有效逃逸黑盒安卓恶意软件检测器。该逃逸攻击不仅能生成真实世界的对抗性恶意软件，还可保留原始恶意应用（APP）的功能性。EvadeDroid通过基于n-gram的方法构建一组功能保持型变换方法，这些变换源自与恶意软件应用共享操作码级相似性的良性捐赠样本。随后，通过迭代递增式操纵策略，利用这些变换将恶意样本转化为良性形态。所提出的操纵技术是一种新型的查询高效优化算法，可发现并注入最优变换序列至恶意应用。实证评估表明，EvadeDroid在软标签与硬标签攻击场景下均具有效性。此外，EvadeDroid能以最低查询量生成有效逃逸多种基于黑盒机器学习的恶意软件检测器的真实世界对抗样本。最后，我们证明该问题空间对抗攻击能规避五款主流商业杀毒软件，验证了其在真实世界的可行性。