A team of experts from GoSecure, Trend Micro and Stratosphere Laboratory spoke about a new service based on the obfuscation-as-a-service business model, which is a prime example of the resilience of the cybercriminal economy to meet the demand in the cybercriminal market. In this case, enterprising hackers have developed a fully automated service platform to protect Android malware APKs from being detected by antivirus solutions.
Researchers stumbled upon the service (the experts decided not to publish its name, so as not to advertise), while studying the activity of the banking Android-Trojan Geost. The experts discovered the leaked correspondence of the Geost botnet operators, in which a certain obfuscation platform was discussed, and decided to find out what was at stake. As a result, they did find a service offering obfuscation for $ 20 per APK, or $ 100 for ten APKs. In addition, the service allowed you to subscribe for a month at a price of $ 850.
During the study, experts found on VirusTotal more than 3 thousand APK files obfuscated using this service in 2020.
Using threat analysis tools using slang similar to what the Geost botnet operators used to refer to the service, researchers have identified six more obfuscation services operating on forums on the darknet in 2020. However, the aforementioned platform is different from its competitors, the researchers note.
Firstly, none of the competitors offers a platform with an API, and secondly, purchases are made through private messages in Jabber or Telegram. Besides, the services of these services are more expensive. According to the researchers, the higher price is due to the fact that service operators do obfuscation manually. Unlike the competition, the service researched by researchers offers APIs and automatic obfuscation, which gives it an edge in the market.
From the point of view of the effectiveness of the actual evasion from detection, experts characterized the service as “average quality” – the less malicious applications are obfuscated, the higher the probability of their detection. Another good news for cyber security experts is that, although attackers have put a lot of effort into automating the service, the automation process makes it easier to detect obfuscation.