Noise-Augmented Transferability: A Low-Query-Budget Transfer Attack on Android Malware Detectors

Machine learning-based Android malware detectors are vulnerable to black-box adversarial attacks, yet existing methods typically suffer from low query efficiency and limited transferability. This study introduces a novel, two-stage transfer attack that systematically enhances adversarial transferability under stringent, query-limited conditions. We propose a new methodology that decomposes adversarial perturbations into model-specific “key perturbations” and transferable “perturbation noise.” By augmenting the minimal key perturbations with strategically sampled perturbation noise, our method generates a diverse set of highly effective adversarial examples. Extensive experiments demonstrate the attack’s potency, achieving evasion rates of up to 99.53% with an extremely low budget of 1-10 hard-label queries. Our method proves its versatility by successfully targeting models trained on both Boolean and Markov Chain-based features, and importantly, in challenging cross-dimensional scenarios where the attacker’s feature knowledge is limited. Furthermore, a case study on VirusTotal confirms its practical efficacy, reducing detection rates of modern malware by commercial engines by up to 49.7%. This work reveals a new class of potent, query-efficient black-box threats, underscoring the urgent need for more robust malware detection defenses.