The function call graph (FCG) based Android malware detection methods have recently attracted increasing attention due to their promising performance. However, these methods are susceptible to adversarial examples (AEs). In this paper, we design a novel black-box AE attack towards the FCG based malware detection system, called BagAmmo. To mislead its target system, BagAmmo purposefully perturbs the FCG feature of malware through inserting "never-executed" function calls into malware code. The main challenges are two-fold. First, the malware functionality should not be changed by adversarial perturbation. Second, the information of the target system (e.g., the graph feature granularity and the output probabilities) is absent. To preserve malware functionality, BagAmmo employs the try-catch trap to insert function calls to perturb the FCG of malware. Without the knowledge about feature granularity and output probabilities, BagAmmo adopts the architecture of generative adversarial network (GAN), and leverages a multi-population co-evolution algorithm (i.e., Apoem) to generate the desired perturbation. Every population in Apoem represents a possible feature granularity, and the real feature granularity can be achieved when Apoem converges. Through extensive experiments on over 44k Android apps and 32 target models, we evaluate the effectiveness, efficiency and resilience of BagAmmo. BagAmmo achieves an average attack success rate of over 99.9% on MaMaDroid, APIGraph and GCN, and still performs well in the scenario of concept drift and data imbalance. Moreover, BagAmmo outperforms the state-of-the-art attack SRL in attack success rate.

翻译：基于函数调用图（FCG）的安卓恶意软件检测方法因其出色的性能而日益受到关注，但这些方法易受对抗样本（AE）攻击。本文设计了一种针对基于FCG的恶意软件检测系统的新型黑盒对抗攻击方法，称为BagAmmo。为误导目标系统，BagAmmo通过在恶意软件代码中插入“永不执行”函数调用来有目的地扰动FCG特征。主要挑战来自两方面：一是对抗扰动不能改变恶意软件的功能；二是缺乏目标系统的信息（如图特征粒度和输出概率）。为保持恶意软件功能，BagAmmo采用try-catch陷阱插入函数调用以扰动FCG。在不了解特征粒度和输出概率的情况下，BagAmmo采用生成对抗网络（GAN）架构，并利用多群体协同进化算法（即Apoem）生成所需扰动。Apoem中的每个群体代表一种可能的特征粒度，当Apoem收敛时可获得真实特征粒度。通过在超过44k个安卓应用和32个目标模型上的广泛实验，我们评估了BagAmmo的有效性、效率和鲁棒性。BagAmmo在MaMaDroid、APIGraph和GCN上实现了超过99.9%的平均攻击成功率，且在概念漂移和数据不平衡场景下仍表现良好。此外，BagAmmo在攻击成功率上超越了现有最优攻击方法SRL。