With the security community regularly developing mechanisms for malware detection, malware samples are constantly being obfuscated through various techniques. Although these changes are suspected to be automatic, there has been no research investigating how such automation works, how it is offered in the underground community, what obfuscation techniques are favoured, and whether offering automation-as-a-service is profitable.

This research presents a deep dive investigation into an obfuscation-as-a-service platform for Android applications advertised on underground forums. The various obfuscation techniques used by the service are uncovered and the service’s efficiency is evaluated. The potential revenue made by those behind the service is also estimated based on open-source information found on various underground forums.

This research provides the first overview of such automatic service, which takes advantage of the whole malware-as-a-service industry, providing medium quality obfuscation for the Android malware market. Although the technical obfuscations are not state-of-the-art, the service succeeds in reducing detection for malware Android applications. We conclude that the active use of the service highlights the need for the malware market to develop better obfuscation techniques, hence the good job that the security community is doing at quickly detecting changing malware. We also conclude that this service seemed to generate enough revenue for the group, given its automatic nature and purpose. Given that automatic services like this may be a larger problem in the future of malware obfuscation, this research provides a first technical analysis of the details of such obfuscation service and the possible impact in detection results.

Got a question about this presentation? To get in touch with the speakers, contact them on Twitter at @masarahclouston, @MaryJo_E and @eldracote or by email on [email protected] or [email protected].