This blog shows how a curious research experiment can lead a student into an interesting cybercrime investigation that contains weird -yet interesting- topics, such as understanding underground attackers, botnets, informal Internet forums, and the economy of encrypting malware-as-a-service.
Deep Dive into an Obfuscation-as-a-Service for Android Malware
While confined in our homes studying the interactions of individuals involved in the spread of the Android banking Trojan botnet (known as Geost), we encountered a unique opportunity: investigate an automated obfuscation-as-a-service platform for Android malware authors.
Indeed, in a leaked chat log that involved Geost botnet operators, two individuals talked about an obfuscation service used to “protect” their malicious Android Applications (APKs) from being detected by antivirus engines. We visited the website related to the “protection” service (protection from antivirus engines -so basically obfuscation), which raised a lot of questions: How does this obfuscation service work? Is it automated? Does it really obfuscate applications well enough to avoid malicious applications being detected? How well is the service known in the underground community?