Table of Contents
Fetching ...

LLM-Driven Feature-Level Adversarial Attacks on Android Malware Detectors

Tianwei Lan, Farid Naït-Abdesselam

TL;DR

LAMLAD reveals a potent LLM-driven adversarial attack against ML-based Android malware detectors by iteratively perturbing Drebin features with a manipulator while an analyzer guides evasion; leveraging Retrieval-Augmented Generation, it achieves ASR up to 97% with about three attempts. It compares against EvadeDroid and HIV, showing superior attack effectiveness, and demonstrates that adversarial training can reduce ASR by over 30% across detectors. The work highlights significant security implications for Android malware defenses and suggests defense strategies and future extensions to broader feature spaces.

Abstract

The rapid growth in both the scale and complexity of Android malware has driven the widespread adoption of machine learning (ML) techniques for scalable and accurate malware detection. Despite their effectiveness, these models remain vulnerable to adversarial attacks that introduce carefully crafted feature-level perturbations to evade detection while preserving malicious functionality. In this paper, we present LAMLAD, a novel adversarial attack framework that exploits the generative and reasoning capabilities of large language models (LLMs) to bypass ML-based Android malware classifiers. LAMLAD employs a dual-agent architecture composed of an LLM manipulator, which generates realistic and functionality-preserving feature perturbations, and an LLM analyzer, which guides the perturbation process toward successful evasion. To improve efficiency and contextual awareness, LAMLAD integrates retrieval-augmented generation (RAG) into the LLM pipeline. Focusing on Drebin-style feature representations, LAMLAD enables stealthy and high-confidence attacks against widely deployed Android malware detection systems. We evaluate LAMLAD against three representative ML-based Android malware detectors and compare its performance with two state-of-the-art adversarial attack methods. Experimental results demonstrate that LAMLAD achieves an attack success rate (ASR) of up to 97%, requiring on average only three attempts per adversarial sample, highlighting its effectiveness, efficiency, and adaptability in practical adversarial settings. Furthermore, we propose an adversarial training-based defense strategy that reduces the ASR by more than 30% on average, significantly enhancing model robustness against LAMLAD-style attacks.

LLM-Driven Feature-Level Adversarial Attacks on Android Malware Detectors

TL;DR

LAMLAD reveals a potent LLM-driven adversarial attack against ML-based Android malware detectors by iteratively perturbing Drebin features with a manipulator while an analyzer guides evasion; leveraging Retrieval-Augmented Generation, it achieves ASR up to 97% with about three attempts. It compares against EvadeDroid and HIV, showing superior attack effectiveness, and demonstrates that adversarial training can reduce ASR by over 30% across detectors. The work highlights significant security implications for Android malware defenses and suggests defense strategies and future extensions to broader feature spaces.

Abstract

The rapid growth in both the scale and complexity of Android malware has driven the widespread adoption of machine learning (ML) techniques for scalable and accurate malware detection. Despite their effectiveness, these models remain vulnerable to adversarial attacks that introduce carefully crafted feature-level perturbations to evade detection while preserving malicious functionality. In this paper, we present LAMLAD, a novel adversarial attack framework that exploits the generative and reasoning capabilities of large language models (LLMs) to bypass ML-based Android malware classifiers. LAMLAD employs a dual-agent architecture composed of an LLM manipulator, which generates realistic and functionality-preserving feature perturbations, and an LLM analyzer, which guides the perturbation process toward successful evasion. To improve efficiency and contextual awareness, LAMLAD integrates retrieval-augmented generation (RAG) into the LLM pipeline. Focusing on Drebin-style feature representations, LAMLAD enables stealthy and high-confidence attacks against widely deployed Android malware detection systems. We evaluate LAMLAD against three representative ML-based Android malware detectors and compare its performance with two state-of-the-art adversarial attack methods. Experimental results demonstrate that LAMLAD achieves an attack success rate (ASR) of up to 97%, requiring on average only three attempts per adversarial sample, highlighting its effectiveness, efficiency, and adaptability in practical adversarial settings. Furthermore, we propose an adversarial training-based defense strategy that reduces the ASR by more than 30% on average, significantly enhancing model robustness against LAMLAD-style attacks.
Paper Structure (21 sections, 2 equations, 5 figures, 4 tables, 1 algorithm)

This paper contains 21 sections, 2 equations, 5 figures, 4 tables, 1 algorithm.

Figures (5)

  • Figure 1: Training pipeline of ML-based Android malware classifiers using Drebin features
  • Figure 2: LAMLAD attack workflow against ML-based Android malware classifiers using Drebin features
  • Figure 3: Overview of the RAG-enhanced interaction workflow between the LLM manipulator and LLM analyzer in LAMLAD
  • Figure 4: Distribution of the number of attempts
  • Figure 5: Adversarial training defense against LAMLAD on three ML detectors