MalModel: hiding malicious payload in mobile deep learning models with black-box backdoor attack

Mobile malware has become one of the most critical security threats in the era of ubiquitous mobile computing. Despite the intensive efforts from security experts to counteract it, recent years have still witnessed a rapid growth of identified malware samples. This could be partly attributed to the newly-emerged technologies that may constantly open up under-studied attack surfaces for adversaries. One typical example is the recently-developed mobile machine learning (ML) framework that enables storing and running deep learning (DL) models on mobile devices. Despite obvious advantages, this new feature also inadvertently introduces potential vulnerabilities (e.g., on-device models may be modified for malicious purposes). In this work, we propose a method to generate or transform mobile malware by hiding malicious payloads inside DL models’ parameters based on a strategy considering four factors (layer type, layer number, layer coverage, and the number of bytes to replace). Utilizing the proposed method, we can run malware in DL mobile applications covertly with little impact on the model performance (i.e., as little as 0.35% drop in accuracy and at most 39ms latency overhead). We can successfully trigger malicious functions, such as getting SMS records and screenshots in a real-world application. The generated malware can evade state-of-the-art detection techniques (i.e., none detected by VirusTotal), and the malware-based attack exhibits high practical feasibility (i.e., successfully attack 41% of the apps with on-device DL models). Our work should alert security experts on malware injection attacks on mobile devices, and further raise more awareness towards the deep-learning-assisted attacks in the mobile ecosystem. © The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2025.