Intrusions with Snowblind involved the injection of a seccomp filter to intercept system calls, as well as a SIGSYS signal handler to direct anti-tampering code to unchanged APK versions allowing the deactivation of several app security features.
Article Link: New Snowblind Android trojan examined | SC Media