ML Security PapersStealthy Backdoor Attack to Real-world Models in Android Apps
Jiali Wei , Ming Fan , Xicheng Zhang , Wenjing Jiao , Haijun Wang , Ting Liu
Published on arXiv
2501.01263
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
Steganography-based backdoor triggers achieve 12.50% higher attack success rate than DeepPayload on real-world mobile app models while maintaining normal model utility and human imperceptibility.
Powered by their superior performance, deep neural networks (DNNs) have found widespread applications across various domains. Many deep learning (DL) models are now embedded in mobile apps, making them more accessible to end users through on-device DL. However, deploying on-device DL to users' smartphones simultaneously introduces several security threats. One primary threat is backdoor attacks. Extensive research has explored backdoor attacks for several years and has proposed numerous attack approaches. However, few studies have investigated backdoor attacks on DL models deployed in the real world, or they have shown obvious deficiencies in effectiveness and stealthiness. In this work, we explore more effective and stealthy backdoor attacks on real-world DL models extracted from mobile apps. Our main justification is that imperceptible and sample-specific backdoor triggers generated by DNN-based steganography can enhance the efficacy of backdoor attacks on real-world models. We first confirm the effectiveness of steganography-based backdoor attacks on four state-of-the-art DNN models. Subsequently, we systematically evaluate and analyze the stealthiness of the attacks to ensure they are difficult to perceive. Finally, we implement the backdoor attacks on real-world models and compare our approach with three baseline methods. We collect 38,387 mobile apps, extract 89 DL models from them, and analyze these models to obtain the prerequisite model information for the attacks. After identifying the target models, our approach achieves an average of 12.50% higher attack success rate than DeepPayload while better maintaining the normal performance of the models. Extensive experimental results demonstrate that our method enables more effective, robust, and stealthy backdoor attacks on real-world models.
Key Contributions
- Proposes steganography-based backdoor attack generating imperceptible, sample-specific triggers that enhance attack stealthiness and evade common defenses
- Systematically extracts and analyzes 89 real-world DL models from 38,387 Android apps to evaluate attacks under realistic deployment conditions
- Achieves 12.50% higher average attack success rate than DeepPayload while better preserving clean model accuracy across four state-of-the-art DNN architectures
🛡️ Threat Analysis
The paper's primary contribution is a backdoor attack technique using DNN-based steganography to generate imperceptible, sample-specific triggers that embed hidden targeted behavior in DL models — activating only on triggered inputs while maintaining normal performance otherwise. This is the canonical backdoor/trojan threat.