Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Can you See me? On the Visibility of NOPs against Android Malware Detectors

Diego Soi, Davide Maiorca, Giorgio Giacinto, Harel Berger

TL;DR

The paper addresses evasion of Android malware detectors through No OPerations (NOPs) by introducing the Clarity Complexity Connection (CCC) visibility metric to quantify how detectable such evasive code is by humans and machines. CCC combines three factors with the rule $CCC(S)=0.4*C_1(S)+0.2*(1-C_2(S))+0.4*(1-C_3(S))$, where $C_1$, $C_2$, and $C_3$ measure clarity, complexity, and code–originality connection, respectively, and is demonstrated on a state-of-the-art opcode-based CNN detector. Three attack variants (Simple NOP, Simple Opcode Attack, Impossible If) are implemented in Smali to evaluate CCC against realistic evasion scenarios. The results reveal a trade-off between evasion efficacy and detectability: more visible attacks (higher CCC) tend to reduce recall of the detector, while subtler attacks (lower CCC) may be harder for humans to identify; CCC thus serves as a practical tool for stress-testing defenses and guiding the development of more robust two-layer defenses combining human expertise and ML detectors. The work highlights the need to consider human perceptibility in security evaluations and suggests directions for optimizing CCC weights and extending the approach to additional malware domains and detectors.

Abstract

Android malware still represents the most significant threat to mobile systems. While Machine Learning systems are increasingly used to identify these threats, past studies have revealed that attackers can bypass these detection mechanisms by making subtle changes to Android applications, such as adding specific API calls. These modifications are often referred to as No OPerations (NOP), which ideally should not alter the semantics of the program. However, many NOPs can be spotted and eliminated by refining the app analysis process. This paper proposes a visibility metric that assesses the difficulty in spotting NOPs and similar non-operational codes. We tested our metric on a state-of-the-art, opcode-based deep learning system for Android malware detection. We implemented attacks on the feature and problem spaces and calculated their visibility according to our metric. The attained results show an intriguing trade-off between evasion efficacy and detectability: our metric can be valuable to ensure the real effectiveness of an adversarial attack, also serving as a useful aid to develop better defenses.

Can you See me? On the Visibility of NOPs against Android Malware Detectors

TL;DR

The paper addresses evasion of Android malware detectors through No OPerations (NOPs) by introducing the Clarity Complexity Connection (CCC) visibility metric to quantify how detectable such evasive code is by humans and machines. CCC combines three factors with the rule , where , , and measure clarity, complexity, and code–originality connection, respectively, and is demonstrated on a state-of-the-art opcode-based CNN detector. Three attack variants (Simple NOP, Simple Opcode Attack, Impossible If) are implemented in Smali to evaluate CCC against realistic evasion scenarios. The results reveal a trade-off between evasion efficacy and detectability: more visible attacks (higher CCC) tend to reduce recall of the detector, while subtler attacks (lower CCC) may be harder for humans to identify; CCC thus serves as a practical tool for stress-testing defenses and guiding the development of more robust two-layer defenses combining human expertise and ML detectors. The work highlights the need to consider human perceptibility in security evaluations and suggests directions for optimizing CCC weights and extending the approach to additional malware domains and detectors.

Abstract

Android malware still represents the most significant threat to mobile systems. While Machine Learning systems are increasingly used to identify these threats, past studies have revealed that attackers can bypass these detection mechanisms by making subtle changes to Android applications, such as adding specific API calls. These modifications are often referred to as No OPerations (NOP), which ideally should not alter the semantics of the program. However, many NOPs can be spotted and eliminated by refining the app analysis process. This paper proposes a visibility metric that assesses the difficulty in spotting NOPs and similar non-operational codes. We tested our metric on a state-of-the-art, opcode-based deep learning system for Android malware detection. We implemented attacks on the feature and problem spaces and calculated their visibility according to our metric. The attained results show an intriguing trade-off between evasion efficacy and detectability: our metric can be valuable to ensure the real effectiveness of an adversarial attack, also serving as a useful aid to develop better defenses.
Paper Structure (27 sections, 15 equations, 2 figures, 2 tables)

This paper contains 27 sections, 15 equations, 2 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Android applications
  4. Methodology
  5. Visibility
  6. Clarity
  7. Complexity
  8. Connection
  9. CCC
  10. Representative Examples
  11. Simple NOPs (EX_1)
  12. Loop & Addition (EX_2)
  13. Condition & API Call (EX_3)
  14. Target System
  15. Evasion Attacks
  16. ...and 12 more sections

Figures (2)

  • Figure 1: The attack process for SIO attack. Opcode sequences contain $1$ as padding between Smali functions. After opcode shifting, sequences contain additional opcodes (i.e. 22, 22, 255, 255 representing const, const, x, x). The attack will find the best opcodes reducing the maliciousness score to change the injected "255". Note that IMI attack works similarly but the added opcodes represent const, if-eqx, x, x.
  • Figure 2: Relationship between CCC value and recall with SIO attack. The values are the mean of the recall and CCC values for the test samples.