Welcome to the VB2021 conference!

Uncovering automatic Obfuscation-as-a-Service for malicious Android applications

Masarah Paquet-Clouston (GoSecure), Vit Sembera (Trend Micro), Sebastian Garcia (Stratosphere Laboratory) & Maria Jose Erquiaga (Cisco Systems)
partner message

Looking for performance validation for your product?


Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

partner message

We don’t just talk about sharing. We do it every day.


Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity


QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

VirusTotal: Actionable crowdsourced threat intelligence


Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

F5 helps find malware hiding in plain sight


Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

IoT security begins with your Smart TV


CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

Stay ahead of threats with VirusTotal


Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions


DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?


At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

Amazon Information Security - come build the future with us!


Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

Ransomware prevention starts with zero


Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

Threat Intelligence and Cyber Resilience


Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

Calling all Hackers!


We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

With the security community regularly developing mechanisms for malware detection, malware samples are constantly being obfuscated through various techniques. Although these changes are suspected to be automatic, there has been no research investigating how such automation works, how it is offered in the underground community, what obfuscation techniques are favoured, and whether offering automation-as-a-service is profitable.

This research presents a deep dive investigation into an obfuscation-as-a-service platform for Android applications advertised on underground forums. The various obfuscation techniques used by the service are uncovered and the service’s efficiency is evaluated. The potential revenue made by those behind the service is also estimated based on open-source information found on various underground forums.

This research provides the first overview of such automatic service, which takes advantage of the whole malware-as-a-service industry, providing medium quality obfuscation for the Android malware market. Although the technical obfuscations are not state-of-the-art, the service succeeds in reducing detection for malware Android applications. We conclude that the active use of the service highlights the need for the malware market to develop better obfuscation techniques, hence the good job that the security community is doing at quickly detecting changing malware. We also conclude that this service seemed to generate enough revenue for the group, given its automatic nature and purpose. Given that automatic services like this may be a larger problem in the future of malware obfuscation, this research provides a first technical analysis of the details of such obfuscation service and the possible impact in detection results.

Got a question about this presentation? To get in touch with the speakers, contact them on Twitter at @masarahclouston, @MaryJo_E and @eldracote or by email on [email protected] or [email protected].
Masarah Paquet-Clouston

Masarah Paquet-Clouston is a Ph.D. candidate in criminology, a security researcher at GoSecure and a collaborator of the Stratosphere IPS project. She is also part of the outreach committee for the NorthSec organization. With her background in economics, criminology, and now cybersecurity, she specializes in the study of online economic crime. She has presented at various international conferences including Black Hat USA, DefCon, RSA, CERT-EU, Sector, NorthSec and Virus Bulletin.

Vit Sembera
Trend Micro

Vit is a security researcher at Trend Micro. He specializes in automotive cybersecurity and IoT security including IoT botnets. Vit has delivered penetration testing, static code analysis and web application firewalls implementations in the past. During his free time, Vit enjoys playing piano and riding motorbikes.

Sebastian Garcia
Stratosphere Laboratory

Sebastian is a malware researcher and security teacher with extensive experience in machine learning applied on network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect civil society. He likes to analyse network patterns and attacks with machine learning. As a researcher in the AIC group of the Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has taught in several countries and universities and has worked on penetration testing for both corporations and governments. He has been lucky enough to talk at Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, Virus Bulletin, BSides Vienna, HITB Singapore, CACIC, and more. As a co-founder of the MatesLab hackspace he is a free software advocate who has worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra) and biohacking.

Maria Jose Erquiaga
Cisco Systems

Maria Jose Erquiaga is a malware researcher from Argentina. Previously, she worked as a researcher at the Stratosphere laboratory at the CVUT, in Prague, Czech Republic and as a team leader of the Aposemat project, a joint project between the Stratosphere laboratory and Avast. Maria's work has been focused on executing and analysing malware. Maria joined the Cognitive Intelligence team of Cisco Systems as a junior threat researcher in April 2021. Maria has spoken at CACIC, ArgenCon, SIGCOMM, BotConf, WACCO, NotPink, Defcon, BlackHat and Ekoparty.