By Egidijus Lileika, Sr. Security Researcher
The goal of this research is to understand the potential for application virtualization to be used as an attack vector. In this research, a dozen virtualization apps were tested for regular use cases and as hacking tools. The Application Protection for Android product was evaluated as a mitigation solution with all of the tested virtualization apps. Read on for part one of this series.
Virtualization apps for “normal” end-use
The majority of virtualization apps available to “normal” users are downloadable from the Google Play store. These apps have hundreds of millions of downloads. One of the most popular ones is Parallel Space. The primary target audience for these apps is people who have more than one account in specific apps such as social media apps. Virtualization apps allow end-users to have multiple instances of a single app running at the same time — no need to log out and sign into another account. Some virtualization apps present themselves as privacy-enhancing apps. Apps installed in virtual spaces are often – but not always — isolated from the regular Android system in one way or another.
Virtualization apps as threat actor tools
On the other end of the user spectrum are threat actors. Virtualization can be utilized for different reasons. One of the main benefits of virtualization is that virtualized apps have more privileged processes than targeted apps, thus allowing the virtualization app to interact with the target app freely. Virtualization, one way or another, bypasses Android’s security model by creating a more permissive environment in the virtualization app sandbox. Many kinds of virtualization apps provide “fake root“ access and hooking services provided by hooking frameworks like Xposed. And all of this can be achieved on a non-rooted phone — meaning that malicious activity can be performed on verified devices.
Virtualized environments open possibilities for the following malicious activities:
- Cheating in games: Software like GameGuardian running in a virtualized environment can achieve almost everything it could do on a rooted device.
- Hooking: Virtualization software like VirtualXposed allows the injection of Xposed modules in virtualized apps thus changing their behavior. For instance, VirtualXposed could be used to bypass ads on the YouTube app.
- Fake root: Some virtualization apps provide access to fake “super users“ in order to run software with escalated privileges. For instance, a fake root could be used to run the Frida server on a non-rooted device.
- Virtual location: The majority of virtualization apps provide location spoofing services. This is particularly useful to bypass geolocation-based verifications or to cheat in games based on geolocation like Pokémon Go.
- Dynamic analysis: Some popular virtualization apps are open-source and can be modified through custom plugins. From within the plugin, users might dynamically instrument virtualized applications, observe application behavior, and capture network traffic.
Figure 1 – Popularity of Respective Virtual Spaces with GameGuardian Users
Virtualization app categories
App virtualization is a broad term. App virtualization can be achieved in many different ways and not necessarily by virtualizing the Android system. App virtualization is a good term for generalizing the idea of running applications in an irregular environment. Following are a few of the many different flavors of App Virtualization:
Work Profile Isolation
Some of the virtualization apps achieve virtualization by creating a separate work profile and isolating the virtualized app inside it. A work profile is a setup on an Android device to separate “work” apps and data from personal apps and data. The work profile lives on a separate part of the device isolated from the rest of the system. Isolating an app with a work profile is not necessarily good as a potentially malicious app running in regular user space, with root access, probably can’t be detected since the work profile isolated app can only see apps that are in the same work profile. For instance, such an attack strategy is being abused by game threat actors that use GameGuardian on a rooted device with root privileges and run the target application in the isolated work profile. “The Island app is an application that is freely available on the Google Play store and allows users to clone particular applications. The Island app is also a good example of “work profile isolation.”
Cloning and repacking
Another kind of virtualization app achieves virtualization by cloning or repackaging the target application. Usually, the process is straightforward. As a baseline, these apps are getting copied and their package name gets modified to some kind of unique package name. To bypass all kinds of checks and verifications, such virtualization apps inject their own code to patch or hook methods that are responsible for package name and signature retrieval, and other methods to make the application believe that it is the original app. Since the application ID has changed, both the original and cloned app can coexist on the same Android system. That kind of virtualization is the fastest since there is no virtualization overhead. The AppCloner app is one example of this kind of app. AppCloner is also freely available on the Google Play store.
“Application hosts” are another kind of virtualization technique. Application hosts virtualize by loading the target application into itself and running it. This is a relatively simple approach to virtualizing an app, but it comes with certain limitations. For instance, such Application hosts can usually only run a single instance of the app at a time, or a very limited number of apps at the same time. Some virtualization technologies that employ such a strategy are shipped as SDKs allowing the user to create their own host app for specific apps with specific capabilities. Such SDKs also open possibilities for use of hooking frameworks and just in general application dynamic analysis with instrumentation. VirtualApk and Phantom are notable examples of such a virtualization approach.
Whole Android system virtualization
Some virtualization apps are virtualizing the whole Android system. A few of them are even booting the whole Android system from any ROM (Read-only memory) image. This kind of virtualization is the slowest but the most powerful one since this approach literally emulates the entire Android phone. Custom ROM images or files can be patched, customized, rooted with Magisk, etc. There is almost no way for a virtualized application to interact with the outside Android system and know what is happening there. Virtualization like this can be used to run target applications in normal-looking virtualized Android systems without root access, however, the original Android system could be rooted and run additional dynamic analysis software to tamper with the virtualized app. Twoyi is one of the most popular apps that virtualize the whole Android system.
Partial Android runtime virtualization
Last but not least, some virtualization apps achieve partial Android system virtualization. Usually, such virtualization apps recreate the majority of the Android system using proxies and dummy processes. Hooking is a very important part of such virtualization techniques since many things need to be intercepted and patched during communication between virtualized app processes and the rest of the system. Also, this method is complicated to maintain between different Android versions and across different Android device vendors. Usually, such a virtualization approach suffers from stability issues. However, the partial Android runtime virtualization technique is one of the most powerful virtualization techniques: A well-implemented partial Android runtime virtualization can be completely undetectable. VirtualApp is one of the most famous partial android runtime virtualizations available.
Can virtualization apps be trusted?
As mentioned before, the many virtualization apps in the Google Play store promise to increase privacy to make regular users believe that virtualization improves user privacy. This claim should be taken with a grain of salt. The fact that the virtualized app is isolated from the rest of the system increases privacy. However, the virtualization app has more privileges over a virtualized app than any other third-party application installed on the Android system. There is no guarantee that the virtualization app is not using those privileges to steal the user’s personal information.
The majority of virtualization apps are bloated with ads. Some of them actually inject additional adware code into the virtualized app. There are a nearly infinite number of things that could be injected into the virtualized application without user consent.
Continue the conversation in part two of the blog series, which you can find here.