Existing backdoor attacks against mobile deep learning models suffer from low real-world effectiveness and high detectability. Method: This paper proposes a sample-specific, imperceptible backdoor attack leveraging DNN steganography—marking the first use of DNN steganography to generate input-adaptive triggers. The approach preserves primary-task performance (accuracy degradation < 0.8%) while significantly enhancing stealth and robustness. Contribution/Results: Through model reverse engineering and Android APK static/dynamic analysis, we extract and validate deployed models from 89 real-world Android apps. Our method achieves an average attack success rate 12.50% higher than the state-of-the-art DeepPayload, effectively breaking the conventional trade-off between effectiveness and concealment. This work establishes a novel paradigm for security evaluation of AI models on mobile platforms.

Powered by their superior performance, deep neural networks (DNNs) have found widespread applications across various domains. Many deep learning (DL) models are now embedded in mobile apps, making them more accessible to end users through on-device DL. However, deploying on-device DL to users' smartphones simultaneously introduces several security threats. One primary threat is backdoor attacks. Extensive research has explored backdoor attacks for several years and has proposed numerous attack approaches. However, few studies have investigated backdoor attacks on DL models deployed in the real world, or they have shown obvious deficiencies in effectiveness and stealthiness. In this work, we explore more effective and stealthy backdoor attacks on real-world DL models extracted from mobile apps. Our main justification is that imperceptible and sample-specific backdoor triggers generated by DNN-based steganography can enhance the efficacy of backdoor attacks on real-world models. We first confirm the effectiveness of steganography-based backdoor attacks on four state-of-the-art DNN models. Subsequently, we systematically evaluate and analyze the stealthiness of the attacks to ensure they are difficult to perceive. Finally, we implement the backdoor attacks on real-world models and compare our approach with three baseline methods. We collect 38,387 mobile apps, extract 89 DL models from them, and analyze these models to obtain the prerequisite model information for the attacks. After identifying the target models, our approach achieves an average of 12.50% higher attack success rate than DeepPayload while better maintaining the normal performance of the models. Extensive experimental results demonstrate that our method enables more effective, robust, and stealthy backdoor attacks on real-world models.