MalModel: Hiding Malicious Payload in Mobile Deep Learning Models with Black-box Backdoor Attack
Jiayi Hua, Kailong Wang, Meizhen Wang, Guangdong Bai, Xiapu Luo, Haoyu Wang
TL;DR
This work addresses the security risk of on-device deep learning by introducing MalModel, a method to covertly embed malicious payloads inside mobile DL model weights and to trigger their execution via a backdoor. It formalizes a four-factor injection strategy (layer type, layer number, layer coverage, and replaced-byte count) to maximize payload capacity while keeping accuracy and latency impacts minimal, and couples this with a backdoor mechanism consisting of a resize operator, trigger detector, and merge module to enable conditional malware execution. The authors provide detailed evaluations across multiple large and small models, real malware samples, and real-world apps, showing that sizable payloads can be injected with limited accuracy loss (as low as 0.4%) and modest latency overhead (up to 39 ms), and that the backdoor can be reliably triggered by both universal and specific visual triggers. They also demonstrate real-world feasibility through GooglePlay case studies (41% success rate) and show strong stealth against VirusTotal, highlighting an urgent need for defense mechanisms that verify model integrity and detect hidden payloads in on-device DL pipelines. Overall, MalModel reveals a practical vulnerability surface in mobile DL ecosystems and provides concrete guidance for defense, model verification, and secure DL framework design.
Abstract
Mobile malware has become one of the most critical security threats in the era of ubiquitous mobile computing. Despite the intensive efforts from security experts to counteract it, recent years have still witnessed a rapid growth of identified malware samples. This could be partly attributed to the newly-emerged technologies that may constantly open up under-studied attack surfaces for the adversaries. One typical example is the recently-developed mobile machine learning (ML) framework that enables storing and running deep learning (DL) models on mobile devices. Despite obvious advantages, this new feature also inadvertently introduces potential vulnerabilities (e.g., on-device models may be modified for malicious purposes). In this work, we propose a method to generate or transform mobile malware by hiding the malicious payloads inside the parameters of deep learning models, based on a strategy that considers four factors (layer type, layer number, layer coverage and the number of bytes to replace). Utilizing the proposed method, we can run malware in DL mobile applications covertly with little impact on the model performance (i.e., as little as 0.4% drop in accuracy and at most 39ms latency overhead).