In 2019, I looked into Geost, an Android trojan with interesting layers of obfuscation. This entry serves to show how its obfuscation method has evolved by comparing my findings from 2019 with new samples from 2020. It is also part of a larger research endeavor done with Masarah Paquet-Clouston, Maria Jose Erquiaga, and Sebastian Garcia.
Our joint investigation started with researchers looking into the activity of an Android trojan botnet. They discovered that the adversary group was in fact using an external service for APK obfuscation that had not been observed before. They then scrutinized this service by understanding its usage and uncovering its clients. We share the findings from our joint investigation in a paper and three blog entries.
Source: Trend Micro