FCGHunter: Towards Evaluating Robustness of Graph-Based Android Malware Detection
Shiwen Song, Xiaofei Xie, Ruitao Feng, Qi Guo, Sen Chen
TL;DR
This work tackles robustness evaluation for graph-based Android malware detectors that rely on Function Call Graphs by introducing FCGHunter, a robustness-testing framework that combines critical-area narrowing, seven semantics-preserving perturbation operators, and dependency-aware genetic algorithms with SHAP-guided, multi-objective fitness. The method effectively explores a vast perturbation space to generate adversarial FCGs while preserving malware functionality, achieving an average attack success rate of $87.9\%$, and outperforming baselines by at least $44.7\%$ across 40 target models and eight embeddings. Key findings show edge-based perturbations and dependency-aware mutation significantly improve exploration and avoid premature convergence, with strong transferability to real-world black-box systems like VirusTotal and potential benefits from adversarial retraining. The results provide practical insights for strengthening AMD robustness and guiding future adversarial testing and defense strategies.
Abstract
Graph-based detection methods leveraging Function Call Graphs (FCGs) have shown promise for Android malware detection (AMD) due to their semantic insights. However, the deployment of malware detectors in dynamic and hostile environments raises significant concerns about their robustness. While recent approaches evaluate the robustness of FCG-based detectors using adversarial attacks, their effectiveness is constrained by the vast perturbation space, particularly across diverse models and features. To address these challenges, we introduce FCGHunter, a novel robustness testing framework for FCG-based AMD systems. Specifically, FCGHunter employs innovative techniques to enhance exploration and exploitation within this huge search space. Initially, it identifies critical areas within the FCG related to malware behaviors to narrow down the perturbation space. We then develop a dependency-aware crossover and mutation method to enhance the validity and diversity of perturbations, generating diverse FCGs. Furthermore, FCGHunter leverages multi-objective feedback to select perturbed FCGs, significantly improving the search process with interpretation-based feature change feedback. Extensive evaluations across 40 scenarios demonstrate that FCGHunter achieves an average attack success rate of 87.9%, significantly outperforming baselines by at least 44.7%. Notably, FCGHunter achieves a 100% success rate on robust models (e.g., AdaBoost with MalScan), where baselines achieve only 11% or are inapplicable.
