Table of Contents
Related Blogs
Client-Side vs. Server-Side Security: What’s the Difference?
Learn how to choose the right security approach for your web applications. Explore client-side and server-side security measures to enhance your defenses.
Grass Valley Triumphs Over Application Piracy with Digital.ai Application Security
Grass Valley combats piracy with Digital.ai Application Security, boosting revenue, innovation, and customer trust in the media industry.
How to Obfuscate Dart Code in Flutter Applications
Safeguard Flutter applications by mastering Dart code obfuscation. Our guide covers everything from setup to best practices for maximum security.
By Egidijus Lileika, Sr. Security Researcher
Welcome to part two of our virtualization series. The goal of this research is to understand the potential for application virtualization to be used as an attack vector. In this research, a dozen virtualization apps were tested for regular use cases and as hacking tools. The Application Protection for Android product was evaluated as a mitigation solution with all of the tested virtualization apps.
Evaluation of Virtualization Apps
This section goes through the most popular open-source and closed-source virtualization apps. Each app is evaluated on usability, ease of compilation or modification, and how well Application Protection for Android can protect against attacks in the virtualized environment. We’ve attempted to list applications that represent all of the different types of virtualization methods. Some apps are more popular than others, and the apps are discussed in rough order from most to least popular.
Open Source
Virtual App
Virtual App is a partially virtualized Android system. The full feature list can be found in project README.MD. This project was open-sourced up until 2017, and since then it has not been updated. However, premium customers can still obtain more recent versions now-closed source code. There are no prebuilt binaries in Github. Compiling the source is challenging and many errors require manual fixing.
The project has many forks. The following fork actually maintains versions of Android that came out after 2017.
Our initial attempts to compile VirtualApp failed, but the project is considered an inspiration for other virtualization projects.
Application Protection for Android guards triggered: Virtualization detection
VirtualXposed
The VirtualXposed is another partial Android virtualize based on the VirtualApp project. VirtualXposed main feature is that it allows using the Xposed framework on a non-rooted device in a virtualized environment. This project is suffering from stability issues. VirtualXposed failed to install the Xposed add on both devices used for testing. On one device VirtualXposed even failed to launch the virtualized app. Many other projects try to replicate VirtualXposed idea.
Application Protection for Android guards triggered: Virtualization detection, Hook detection, Dynamic Instrumentation detection, Root detection, Signature check, and Emulator detection crashes the app.
VirtualApp2022
VirtualApp2022 is inspired by VirtualXposed and based on VirtualApp. Works great on Android 11. In the README.MD developer states that they support Xposed plugins.
Application Protection for Android guards triggered: Virtualization detection
Twoyi
Twoyi is an Android system app that virtualizes whole ROM images. By default, it virtualizes Android 8.1.0 with a pre-installed Superuser app. Because Twoyi can virtualize custom ROM images it could, in theory, be used to virtualize ROM patched with Magisk, run LSPosed, or run other threat tools.
Application Protection for Android guards triggered: Root detection and Emulator detection
MultiApp
MultiApp works well. It’s difficult to determine the exact virtualization technique MultiApp uses but it is likely either a partial Android system virtualization or it is virtualizing applications as a host. This project is only partially open- The app UI and launcher are open-source, but the main virtualization logic is shipped in precompiled JARs and APKs.
Application Protection for Android guards triggered: Virtualization detection
TaiChi
TaiChi is a VirtualXposed-inspired virtualization app that can use Xposed modules on non-rooted devices. Unfortunately, this project isn’t stable as it failed to install or run virtualized apps on both testing devices.
Application Protection for Android guards triggered: Virtual Detection
VirtualApk, Phantom, and DroidPlugin
VirtualApk, Phantom, and DroidPlugin projects are SDKs that allow users to create host applications that can virtualize target apps inside them. Due to a lack of time, these frameworks were not tested.
Application Protection for Android guards triggered: – Virtualization detection
Closed source
Parallel Space, Dual Space, and other
Other:
- https://play.google.com/store/apps/details?id=com.excelliance.multiaccounts&hl=en&gl=US
- https://play.google.com/store/apps/details?id=multi.parallel.dualspace.cloner&hl=en&gl=US
- https://play.google.com/store/apps/details?id=com.cloneapp.parallelspace.dualspace&hl=en&gl=US
- https://play.google.com/store/apps/details?id=com.excelliance.multiaccount&hl=en&gl=US
- https://play.google.com/store/apps/details?id=com.excean.parallelspace&hl=en&gl=US
- https://play.google.com/store/apps/details?id=do.multiple.cloner&hl=en&gl=US
- https://www.apkmirror.com/apk/nox-ltd/noxapp-multiple-accounts-clone-app/
One of the most popular virtualization apps from the Google Play store. To use Parallel Space with GameGuardian, an unofficial “optimized“ version of the Parallel Space app needs to be downloaded from the GameGuardian forum.
GameGuardian optimized versions:
- https://gameguardian.net/forum/files/file/120-parallel-space-32-bit-support-64-bit-support/
- https://gameguardian.net/forum/files/file/213-dualspace-32-bit-support-64-bit-support/
- https://gameguardian.net/forum/files/file/194-virtual-space/
- https://gameguardian.net/forum/files/file/225-octopus-32-bit-support-64-bit-support/
- https://gameguardian.net/forum/files/file/122-go-multiple/
Application Protection for Android guards triggered: Virtualization detection and Dynamic Instrumentation detection (Parallel Space memory tampering detected)
SpaceCore
SpaceCore is a new partially open-sourced virtualization app. Virtualization logic is closed-sourced. The app can’t be compiled from the source since it is missing the source of the core library. Demo builds are stable and can run most tested apps. The menu contains a placeholder for Xposed Manager which still isn’t available.
Application Protection for Android guards triggered: Virtualization detection
AppCloner
AppCloner is a repackaging-based virtualize that repackages target application under another package name and installs it on the system. The virtualization technique is simple but can’t be used together with other threat tools to tamper target apps without root access.
Application Protection for Android guards triggered: Virtualization detection
Island
Island is a work profile-based virtualization solution that isolates apps within work profiles. During Application Protection for Android Virtualization, guard creation reports stated that Island was used to isolate victim applications from other apps and GameGuardian was used to tamper application memory undetected.
Application Protection for Android guards triggered: Virtualization detection
Summary
Virtualization is useful for both regular users and threat actors. Many virtualization apps allow threat actors to virtually create a malicious environment on a non-rooted device. Even though there are many open-source projects, the majority of them can’t be easily compiled and modified.
Virtualization is achieved in many different ways, starting from application repackaging to the whole Android system virtualization. All of the virtualization apps that we tested for this paper were detected by the Application Protection for Android product.
Additional resources
https://github.com/pianpian315/VirtualAndroid/blob/master/Mobile%20Virtualization%20Technologies.pdf
https://github.com/ysrc/AntiVirtualApp
Catch up on part one of the series, which you can find here.
Are you ready to scale your enterprise?
Explore
What's New In The World of stg-digitalai-staging.kinsta.cloud
Client-Side vs. Server-Side Security: What’s the Difference?
Learn how to choose the right security approach for your web applications. Explore client-side and server-side security measures to enhance your defenses.
Grass Valley Triumphs Over Application Piracy with Digital.ai Application Security
Grass Valley combats piracy with Digital.ai Application Security, boosting revenue, innovation, and customer trust in the media industry.
How to Obfuscate Dart Code in Flutter Applications
Safeguard Flutter applications by mastering Dart code obfuscation. Our guide covers everything from setup to best practices for maximum security.