Over the last decade, researchers have extensively explored the vulnerabilities of Android malware detectors to adversarial examples through the development of evasion attacks; however, the practicality of these attacks in real-world scenarios remains arguable. The majority of studies have assumed attackers know the details of the target classifiers used for malware detection, while in reality, malicious actors have limited access to the target classifiers. This paper introduces EvadeDroid, a problem-space adversarial attack designed to effectively evade black-box Android malware detectors in real-world scenarios. EvadeDroid constructs a collection of problem-space transformations derived from benign donors that share opcode-level similarity with malware apps by leveraging an n-gram-based approach. These transformations are then used to morph malware instances into benign ones via an iterative and incremental manipulation strategy. The proposed manipulation technique is a query-efficient optimization algorithm that can find and inject optimal sequences of transformations into malware apps. Our empirical evaluations, carried out on 1K malware apps, demonstrate the effectiveness of our approach in generating real-world adversarial examples in both soft- and hard-label settings. Our findings reveal that EvadeDroid can effectively deceive diverse malware detectors that utilize different features with various feature types. Specifically, EvadeDroid achieves evasion rates of 80%-95% against DREBIN, Sec-SVM, ADE-MA, MaMaDroid, and Opcode-SVM with only 1-9 queries. Furthermore, we show that the proposed problem-space adversarial attack is able to preserve its stealthiness against five popular commercial antiviruses with an average of 79% evasion rate, thus demonstrating its feasibility in the real world.

翻译：过去十年中，研究者通过开发规避攻击广泛探索了Android恶意软件检测器对抗样本的脆弱性；然而，这些攻击在实际场景中的实用性仍有争议。多数研究假设攻击者知晓用于恶意软件检测的目标分类器细节，但现实中恶意行为者对目标分类器的访问权限有限。本文提出EvadeDroid——一种面向问题空间的对抗攻击方法，旨在有效规避实际场景中的黑盒Android恶意软件检测器。EvadeDroid通过基于n-gram的方法，从与恶意应用共享操作码级相似性的良性样本中构建一系列问题空间变换。随后利用迭代增量操作策略，将这些变换应用于将恶意实例变形为良性实例。所提出的操作技术是一种查询高效的优化算法，可查找最优变换序列并将其注入恶意应用。基于1000个恶意应用的实证评估表明，本方法在软标签和硬标签设定下均能有效生成真实对抗样本。研究发现，EvadeDroid可成功欺骗利用不同特征类型（包括多种特征）的多种恶意软件检测器：针对DREBIN、Sec-SVM、ADE-MA、MaMaDroid和Opcode-SVM，仅需1-9次查询即可实现80%-95%的规避率。此外，该问题空间对抗攻击能保持隐蔽性——在五种主流商业杀毒软件中达到平均79%的规避率，从而证实了其在现实场景中的可行性。