{
	"id": "49facb2f-3cd0-4095-8f02-e1d45430725b",
	"created_at": "2026-04-06T00:21:47.53528Z",
	"updated_at": "2026-04-10T13:12:15.287158Z",
	"deleted_at": null,
	"sha1_hash": "f50184987c6c38743904cf8eb20eea0fffab3c3c",
	"title": "24/7 managed detection, response, and expert cybersecurity services - GoSecure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 102743,
	"plain_text": "24/7 managed detection, response, and expert cybersecurity services\r\n- GoSecure\r\nArchived: 2026-04-05 16:50:02 UTC\r\nThis blogpost summarizes cutting-edge research that uncovers an obfuscation-as-a-service platform for Android\r\napplications. From a thorough analysis of the obfuscation techniques to comprehending the service's usage,\r\nefficiency, and potential profitability, as well as placing the service in its wider market context, the research provides\r\na practical deep dive into the modus operandi of malicious actors attempting to complicate the work of security\r\nanalysts.\r\nThe research is the result of a collaboration among Masarah Paquet-Clouston from GoSecure, Vit Sembera, from\r\nTrend Micro as well as Maria Jose Erquiaga and Sebastian Garcia from the Stratosphere Laboratory. Two related\r\nblogs about the research can be found, one on the Stratosphere Laboratory blog and one on the Trend Micro\r\nwebsite.\r\nWhile confined in our homes studying the interactions of individuals involved in the spread of the Android banking\r\nTrojan botnet (known as Geost), we encountered a unique opportunity: strip naked an automated obfuscation-as-a-service platform for Android malware authors.\r\nIndeed, in a leaked chat log that involved Geost botnet operators, two individuals talked about an obfuscation\r\nservice used to \"protect\" their malicious Android Applications (APKs) from being detected by antivirus engines. We\r\nvisited the website related to the \"protection\" service (protection from antivirus engines -so basically obfuscation),\r\nwhich raised a lot of questions: How does this obfuscation service work? Is it automated? Does it really obfuscate\r\napplications well enough to avoid malicious applications being detected? How well is the service known in the\r\nunderground community?\r\n**And so, a new research quest began. We scrutinized this service by stripping naked its obfuscation techniques,\r\nunderstanding its usage, and uncovering its clients, analyzing its efficiency, and estimating the potential revenue of\r\nthe administrators. **\r\nThis blogpost summarizes the quest and the findings, which will also be presented at the 2020 Botconf Conference,\r\nhappening from December 2nd to 4th. The conference is virtual, and registration is free.\r\nTo avoid tipping off the obfuscation-as-a-service operators that we exposed their service, we do not mention the\r\nservice's name. However, security researchers can find the service's link by doing a ROT13 of the string sggxvg.pbz\r\nThis blogpost summarizes cutting-edge research that uncovers an obfuscation-as-a-service platform for Android\r\napplications. From a thorough analysis of the obfuscation techniques to comprehending the service's usage,\r\nefficiency, and potential profitability, as well as placing the service in its wider market context, the research provides\r\na practical deep dive into the modus operandi of malicious actors attempting to complicate the work of security\r\nanalysts.\r\nThe research is the result of a collaboration among Masarah Paquet-Clouston from GoSecure, Vit Sembera, from\r\nTrend Micro as well as Maria Jose Erquiaga and Sebastian Garcia from the Stratosphere Laboratory. Two related\r\nhttps://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/\r\nPage 1 of 9\n\nblogs about the research can be found, one on the Stratosphere Laboratory blog and one on the Trend Micro\r\nwebsite.\r\nWhile confined in our homes studying the interactions of individuals involved in the spread of the Android banking\r\nTrojan botnet (known as Geost), we encountered a unique opportunity: strip naked an automated obfuscation-as-a-service platform for Android malware authors.\r\nIndeed, in a leaked chat log that involved Geost botnet operators, two individuals talked about an obfuscation\r\nservice used to \"protect\" their malicious Android Applications (APKs) from being detected by antivirus engines. We\r\nvisited the website related to the \"protection\" service (protection from antivirus engines -so basically obfuscation),\r\nwhich raised a lot of questions: How does this obfuscation service work? Is it automated? Does it really obfuscate\r\napplications well enough to avoid malicious applications being detected? How well is the service known in the\r\nunderground community?\r\n**And so, a new research quest began. We scrutinized this service by stripping naked its obfuscation techniques,\r\nunderstanding its usage, and uncovering its clients, analyzing its efficiency, and estimating the potential revenue of\r\nthe administrators. **\r\nThis blogpost summarizes the quest and the findings, which will also be presented at the 2020 Botconf Conference,\r\nhappening from December 2nd to 4th. The conference is virtual, and registration is free.\r\nTo avoid tipping off the obfuscation-as-a-service operators that we exposed their service, we do not mention the\r\nservice's name. However, security researchers can find the service's link by doing a ROT13 of the string sggxvg.pbz\r\nStep 1: Registering to the Service: Surfing the Underground\r\nWhen we encountered the link, we attempted to register on the platform. However, as shown in Figure 1, we needed\r\na coupon code, creating barriers of entry for curious individuals who were not serious customers, like us.\r\nFigure 1 - Registration Webpage for the Obfuscation Service\r\nUsing the Sixgill and Flared Systems darknet monitoring platforms, we found coupon codes on several underground\r\nforums. Indeed, the service was advertised on HackForum, xss.is (previously DamageLab), procrd.top and the\r\nclosed/registration forums alligator-cash and exploit.in. Figure 2 displays an advertisement for the service on the\r\nHackForum platform.\r\nFigure 2 - Advertisement for the Obfuscation-as-a-Service on HackForums\r\nAs mentioned in the advertisement, the APK obfuscation service is supposed to offer a \"fully automated service for\r\nprotection of Android applications\". It says it has an API integration and offers a wide range of obfuscation\r\ntechniques to avoid detection and thus enhance the protection of APKs.\r\nWe used a coupon available in the advertising posts to register for the service. The service was available both in\r\nEnglish and Russian (although only the Russian version worked properly) and the prices for obfuscation varied\r\ndepending on the bundle chosen, from USD 20 for one APK to unlimited APKs for USD 850 per month.\r\nStep 2: Obfuscation and Deobfuscation\r\nTo uncover the obfuscation techniques, we selected the \"three-applications bundle for USD 50\" and obfuscated three\r\napplications; they are displayed in Table 1.\r\nhttps://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/\r\nPage 2 of 9\n\nThe Android Locker and SMS-Stealer were chosen for two reasons. First, their source code did not use any\r\nobfuscation, so it was easy for us to interpret the application's behavior. Second, they were both flagged as highly\r\nmalicious on VirusTotal, which meant that it would make sense to use the service from a malware operator's\r\nperspective.\r\nThe third adware application was chosen because its malicious behavior was not obvious. When uploaded on\r\nVirusTotal, only one antivirus flagged it as adware. We wanted to assess if we would see different results depending\r\non the maliciousness of the applications.\r\n**APK** **SHA1 - Original** **SHA1 - Obfuscated**\r\n**Android\r\nLocker**\r\na48fea41f84dc357ff164b7f2f35e8f09bb8305d 3d81adfef37e817ceb0a45d62d314af1eba27374\r\n**SMS-Stealer**\r\n98bb4315a5ee3f92a3275f08e45f7e35d9995cd2 d9872e32b5f4cda4aea7beed32ae3f23c753987b\r\n**Adware** 4c3a1103960780cc890831280b37ea3a20754fad 494e7942be0ca873ea49e5cf33bed10aa1e7faf7\r\nTable 1 - Original and Obfuscated Applications Comparing the results of the three APKs, we noticed that the\r\nobfuscation was the same, which confirmed that the service was automated. Thus, for simplicity purposes, we\r\npresent below the results for the first APK, the Android locker. ### Step 2.1 Automated Analysis to Compare\r\nAndroid Locker Original and Obfuscated Files\r\nWe started by conducting an automated analysis using MobSF to compare the results between the original Android\r\nLocker and the obfuscated one. The results are presented in Table 2.\r\nThe obfuscation process was good enough to hide vulnerabilities found in the original file, thus increasing the\r\nsecurity score of the obfuscated file to 100/100, compared to 75/100 for the original file.\r\nThe service also changed the Package and Main Activity names to random strings, making the obfuscated file look\r\nsuspicious at first sight. The number of services and activities also increased in the obfuscated file compared to the\r\noriginal one. The number of activities went from 2 to 10 and the number of services went from 1 to 3, making the\r\nobfuscated file more complex and potentially running more tasks in the background. Overall, the automated analysis\r\nhinted that the obfuscated file may look more suspicious than the original one.\r\nTable 2 - Automated Analysis Comparing the Android Locker Original File with the Obfuscated one\r\nStep 2.2 Reverse Engineering the Obfuscated Locker Application\r\nWe were fortunate enough to have a great reverse-engineer in our team: Vit Sembera. Moreover, Vit had already\r\nuncovered part of the obfuscation process in March 2020 when he investigated an application related to the Android\r\nbanking Trojan Geost.\r\nAt the time, we all thought that he was reverse engineering a Geost application, while what he was doing was:\r\nfiguring out the obfuscation service to access the Geost application afterward.\r\nIn terms of the reverse engineering results, the service creates a Dalvik executable dropper and launcher (first stage)\r\nthat opens and decrypts a second stage Dalvik executable (named radio.ogg and located in a /tracksfolder in all\r\nhttps://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/\r\nPage 3 of 9\n\nobfuscated samples), representing the original APK with partially obfuscated symbol names.\r\nAll strings in the first stage are encrypted with the RC4 algorithm using a hard-encoded private key that changes on\r\neach APK. The obfuscated APK makes a special effort at hiding the RC4 decryption code and the second stage\r\nloader. Fortunately, the RC4 function does not keep its internal state, making it easier to decrypt all the strings\r\nseparately after the key is found.\r\nThe various obfuscation techniques, to prevent a malware analyst from finding the second stage Dalvik executable,\r\ninclude complex string splitting, the use of decoy strings and methods to lure the analyst on low-hanging fruits, as\r\nwell as nested junk flow control structures that increased the amount of code to analyze by a factor of nearly 200.\r\nFor further information, Vit summarized the reverse engineering results on the blog titled From Geost to\r\nLocker: Monitoring the Evolution of Android Malware Obfuscation.\r\nFollowing this analysis, we wanted to dig deeper, which led us to expose the service's popularity, efficiency, and\r\npotential profitability.\r\nStep 3: Exposing the Service's Potential Popularity, Efficiency and Profitability\r\nService Popularity\r\nThrough the reverse engineering results, it was easy to fingerprint the service. We leveraged the power of VirusTotal\r\nand conducted two Retrohunt jobs that asked:\r\nAre there files currently submitted on VT that are: \"apks\", \"zip\" or \"jar\" with an embedded \"radio.ogg\" file?\r\nYes! There are!\r\nThe first job was launched on June 22nd, 2020, and another on October 14th, 2020. The first job yielded 2,172 files,\r\nand we could decompile 1,051 of them. The second job yielded 2,051 files from which we could decompile 2,006 of\r\nthem. We thus had 3,057 APKs potentially related to the service.\r\nAre these Obfuscated APKs? Validating the Dataset\r\nWe decompiled all the applications and extracted information on each of them. We found that all manifest files had\r\nPackage name, Main activity as well as activity and service names that were long random strings just like our own\r\nobfuscated files. The radio.ogg file was also stored in a /tracks folder for all of them, just like our three applications.\r\nWe concluded with confidence that these applications were all related to the obfuscation service. For future\r\nreference, their SHA1 hashes are available on GitHub.\r\nYes, these 3,057 applications are related to the obfuscation service!\r\nFigure 3 shows the number of applications found on VirusTotal through time. The x-axis represents the latest date an\r\napplication was last scanned for analysis on VirusTotal. The flat line represents the pause between the two Retrohunt\r\njobs.\r\nFigure 3 - Applications Scanned on VirusTotal related to the Obfuscation Service\r\nFigure 3 illustrates that applications related to the obfuscation service are submitted to VirusTotal almost daily, with\r\nthe peak 216 applications happening on July 24th, 2020.\r\nhttps://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/\r\nPage 4 of 9\n\nUncovering the Clientele\r\nLeveraging this dataset, we aimed at digging deeper: are these applications from the same group? We noticed that\r\nspecific files in the /res/values folders of the obfuscated applications leaked information (such as strings.xml and\r\nids.xml files). In these files, the variable names were randomly generated, but specific strings displayed in the\r\napplications were in clear text, as shown in Figure 4. The structure of the ids.xml files also did not change.\r\nFigure 4 - Extract of strings.xml File of an Obfuscated Application\r\nWe leveraged these files, extracting the first strings of characters displayed in the \"strings.xml\" file and evaluating\r\nthe structure of ids.xml files. We then grouped APKs together if they had the same first string in strings.xml or the\r\nsame structure in the ids.xml file or both.\r\nThis yielded seven distinct groups and an eighth group, encompassing all outliers. We investigated further by taking\r\na sample of a dozen APKs from each group and analyzed them in apklab.io. Apklab.io is a mobile-threat intelligence\r\nplatform created and maintained by Avast, that displays results of APK dynamic analysis.\r\nFrom each group, the dozen of APKs analyzed via apklab.io ended up behaving similarly: connecting to the same\r\ndomains or to similar domains (like ccc1ccc.ru and bbb1bbb.ru) and once the second stage was launched, exposing\r\nsimilar patterns of behaviors.\r\nTable 2 briefly presents the results for each group, including the application names (most likely faked), the number\r\nof APKs in each group, and some insights from the dozens of applications investigated. Obviously, we cannot\r\nconfirm that each group found in the sample represents a specific client using the service, but the preliminary\r\nanalysis shows that the service is used by several actors involved in spreading malicious applications related to\r\nmalware. For example, the fourth group represents APKs that connect to the rakason.ru domain, which was found to\r\nbe related to the flexnet malware, and one group of APKs is associated with domains that were linked to another\r\nAndroid Banking Trojan botnet. The seven groups could also represent several types of APKs belonging to one\r\nclient.\r\nWhat we can conclude from this analysis is that these APKs do not belong to thousands of clients, but rather a few\r\nnumber of them (most likely less than ten).\r\n**Group**\r\n**Application\r\nName**\r\n**N.\r\nAPKs**\r\n**Insights on samples investigated**\r\n**1**\r\nFlash Player,\r\nInstagram\r\nShared\r\n1,697\r\nSamples investigated communicated with DNS address\r\nstatic.66.170.99.88.clients.your-server.de via HTTP\r\n**2**\r\nSistem\r\nGüncelleştirmesi\r\n(System Update)\r\n416\r\nSamples investigated connected via HTTP to one of these\r\ndomains: orucakacdkkaldi.com (104.217.127.209), ba2a.com\r\n(108.187.35.84), selammigo34.com (34.91.209.109) and\r\ngunaydinmorroc.com (104.217.127.131) .\r\n**3** Android\r\nGuncelleme\r\n(Android\r\n251 Samples investigated connected via HTTPS to one of these\r\ndomains: hnoraip.world, kalyanshop.best, dontworryman.club,\r\nPlaceoftomcat.club. All hosted on IP 46.227.68.99. The domain\r\nhttps://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/\r\nPage 5 of 9\n\nUpdate),\r\nBrowser\r\nGuncellemesi\r\n(Browser\r\nUpdate)\r\nkalyanshop.best was associated with an [Android Banking\r\nTrojan]\r\n(https://twitter.com/rebensk/status/1269233752397557760).\r\n**4**\r\nМОД (много\r\nденег) - MOD (a\r\nlot of money)\r\n49\r\nAll the samples communicated with the domain rakason.ru\r\n(81.177.139.80) via HTTP. These APKs seem to be related to\r\nthe [flexnet]\r\n(https://twitter.com/verovaleros/status/1268244469251543042)\r\nmalware.\r\n**5**\r\nFlashPlayer,\r\nRomance Mod,\r\nSpotify++\r\n115\r\nSamples investigated connected to ccc1ccc.ru, eee5eee.ru (both\r\nhosted on IP 194.58.112.174) and twitter.com via HTTPS.\r\n**6**\r\nFlash Player,\r\nGoogleGPS,\r\nAndroid\r\nGuncellemesi\r\n(Android\r\nUpdate), Google\r\nUpdate \u0026 more\r\n462\r\nSome APKs did not connect to any domains; others connected\r\nvia HTTP to 217.8.117.15.\r\n**7**\r\nNotification\r\n(sms app)\r\n4\r\nSamples investigated connected to 142.250.102.188 and\r\nmyluckycorp.com (107.161.23.204, 209.141.38.71 and\r\n192.161.187.200)\r\n  Other 60 Various APKs\r\n \r\nInstall (Android\r\nLocker),\r\nSwimming Pool\r\n(Adware), Spy\r\nMouse (sms\r\nstealer)\r\n3\r\n*These are the three APKs we submitted to the obfuscation\r\nservice and uploaded on Virus Total.*\r\nTable 3 - Obfuscated Applications Grouped\r\nHow efficient is the service?\r\nThen, we assessed the service's efficiency by looking at the rate of detection in VirusTotal. We first compared the\r\noriginal and obfuscated files related to our investigation. The results are shown in Table 5.\r\n**Original** **Obfuscated**\r\n**Android Locker APK** 27/65 engines 16/65 engines\r\nhttps://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/\r\nPage 6 of 9\n\n**SMS-Stealer APK** 29/65 engines 13/65 engines\r\n**Adware APK** 1/65 engine 10/65 engines\r\nTable 5 - Antivirus Detections Obfuscated and Non-Obfuscated Files As shown in Table 5, the Android Locker and\r\nthe SMS-stealer APKs were detected by 42% and 45% of the antiviruses respectively. Using the obfuscation service\r\ndecreased the detection to 25% and 20% respectively. Thus, the service is efficient at reducing the detection rate\r\nwhen the file is malicious by nearly half. On the other hand, the detection rate for the adware APK increased from\r\none to ten.\r\nSeeing an increase in detections for the adware APK raised questions. Thus, to investigate further, we obfuscated an\r\napplication that was absolutely not malicious: the function of the application was to print \"Hello World\". The\r\noriginal application had no detection, but once obfuscated, 8 antiviruses out of 65 flagged it as malicious, even\r\ntagging it as a 'dropper' and a 'banker'. Such findings confirmed that non-malicious applications could see their\r\ndetection rate increase when using the obfuscation service, leading us to hypothesize that the potential clients of the\r\nservice are individuals involved in developing highly malicious applications. We then looked at the applications\r\nfound on VirusTotal and inquired: **are these APKs flagged as malicious as well? **\r\nTurned out that yes, without a doubt!\r\nThey were all flagged as malicious, the minimum number of detections was 8, just like the benign application\r\nabove, and the maximum number of detections was 32. On average, the APKs found on VirusTotal were flagged as\r\nmalicious by 18 antiviruses (with a standard deviation of 4.79). Figure 6 shows the range of detections depending on\r\ngroups.\r\nFigure 6 - Detection Variation by Groups\r\nFigure 6 shows that the average detection rate differed depending on APK groups. To ensure that this finding was\r\nnot just a visual approximation, we computed a series of tests of mean differences and found that there exist\r\nsignificant mean differences in detection rates between each group!\r\nThere are significant differences in detection rates for each APK group, hinting again that these groups could\r\nrepresent different clients.\r\nEstimating Revenue Potential of Maintaining an Obfuscation-as-a-Service Platform\r\nOne of our final tasks was to assess the service potential revenue considering only the applications found on\r\nVirusTotal. The obfuscation service offered different price categories. The most expensive option was to obfuscate\r\none file for USD 20. The cheapest option (if one had many applications to obfuscate) allowed unlimited access to\r\nthe service for USD 850 per month. Figure 7 shows the different price bundles offered in Russian.\r\nFigure 7 – Obfuscation-as-a-Service Prices\r\nTo estimate revenues, we followed this strategy: for all groups that have hundreds of scanned APKs scattered\r\nthroughout the period of study, we consider the number of months each group operated and count an API price\r\nbundle of $850 per month. For the remaining groups that have only a few APKs uploaded at different points in time,\r\nwe considered the highest price: USD 20 per APK.\r\n**Following this pricing strategy, we estimate that the operators behind the obfuscation-as-a-service platform would\r\nhave made USD 22,490 for the APKs found on VirusTotal. **\r\nhttps://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/\r\nPage 7 of 9\n\nAnother strategy was to create an interval taking into account the highest and the lowest prices. Considering that all\r\nthe applications would have been purchased at the price of USD 20 per APK, then those behind the obfuscation-as-a-service platform would have made USD 61,060. Considering, on the other hand, that all obfuscated applications\r\nwould have been purchased with one API access through six months of operation, then those behind the\r\nobfuscation-as-a-service platform would have made only USD 5,100. The first approximation, USD 22 490**,** is\r\nsituated closer to the lower bound of the interval and seems to be a better approximation of what the administrators\r\nwould have made because it considers API accesses for APKs grouped together due to their similarities. It is\r\nunlikely that malware authors would pay a full price of USD 20 per APK for each file in these groups. Whether this\r\namount can be considered substantive depends on where one is positioned in the world.\r\nMarket Ecosystem\r\nLastly, we wanted to position the obfuscation-as-a-service within its market ecosystem. Using the Sixgill DarkNet\r\nmonitoring tool as well as the Flare.System one, we searched potential competitors leveraging the keyword \"crypt\"\r\n(which was the \"slang\" word used by Geost operators to talk about the service). We found, since January 2020, six\r\npotential competitors, advertising \"APK crypt service\" on different underground forums, as shown in Table 6.\r\nThe prices advertised by each competitor were higher than the service we investigated. Moreover, none of them\r\noffered an automated platform with API access. Instead, they all asked potential clients to contact them via\r\nmessaging applications like Jabber or Telegram.\r\nThese competitors seem to conduct their obfuscations manually, rather than automatically (explaining their higher\r\nprices). This also means that the obfuscation-as-a-service investigated may have had a competitive edge by offering\r\nan \"automated service\".\r\n**Service or\r\nUser**\r\n**Forum** **Date** **Prices**\r\n**Competitor\r\n1**\r\nXSS\r\nAugust\r\n2020\r\n$30 for 1 APK $80 for 4 APKs (1 week) $135\r\nfor 12 APKs (1 week) $250 for 25 APKs (1\r\nweek) $300 for 45 APKs (1 week)\r\n**Competitor\r\n2**\r\nXSS Club2crd Dark\r\nMarket Devil Team\r\nCenterClub\r\nJanuary\r\n2020\r\n$20 for 1 APK $100 for weekly submission\r\nwith max 10 APKs/day\r\n**Competitor\r\n3**\r\nClub2crd\r\nAugust\r\n2020\r\n$100 for 1 APK\r\n**Competitor\r\n4**\r\nHackforums July 2020\r\n$25 for 1 APK $70 for 3 APKs $99 for 5\r\nAPKs\r\n**Competitor\r\n5**\r\nUfolabs\r\nOctober\r\n2020\r\n$30 for 1 APK $150 for 4 APKs (1 week)\r\n$350 for 12 APKs (1 week) $550 for 25\r\nAPKs (1 week) $1000 for 45 APKs (1 week)\r\nhttps://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/\r\nPage 8 of 9\n\n**Competitor\r\n6**\r\nSKYNETZONE CHAT\r\ntelegram group\r\nNovember\r\n2020\r\n$150 for 4 APKs (1 week) $350 for 12 APKs\r\n(1 week) $550 for 25 APKs (1 week) $1000\r\nfor 45 APKs (1 week)\r\nTable 6 - Obfuscation-as-a-Service Competitors\r\nConclusion\r\nOverall, we conclude that the obfuscation-as-a-service platform provides a medium quality obfuscation service.\r\nIndeed, a lot of work has been put into automating the obfuscation process, yet a few mistakes made it easier to\r\nfingerprint the obfuscation. We also believe that the platform's clientele is formed of individuals developing highly\r\nmalicious applications. Indeed, the service is only efficient at reducing detection for such applications.\r\nCurrently, the platform has been down since late August 2020. Yet, obfuscated APKs with the same obfuscation\r\ntechniques are still being uploaded on VirusTotal as of November 2020. Possibly, the applications scanned by\r\nVirusTotal are applications obfuscated before the platform's shutdown or the operators are still active without the\r\nweb platform.\r\nAs a last note, we hope that this work can be helpful to security analysts and reverse engineers who face obscure\r\napplications every day.\r\n*The hash of each obfuscated APK found on VirusTotal is available on GitHub. *\r\nSource: https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/\r\nhttps://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/"
	],
	"report_names": [
		"deep-dive-into-an-obfuscation-as-a-service-for-android-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434907,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f50184987c6c38743904cf8eb20eea0fffab3c3c.pdf",
		"text": "https://archive.orkl.eu/f50184987c6c38743904cf8eb20eea0fffab3c3c.txt",
		"img": "https://archive.orkl.eu/f50184987c6c38743904cf8eb20eea0fffab3c3c.jpg"
	}
}