Table of Contents
Related Blogs
By Egidijus Lileika, Sr. Security Researcher
Welcome to part two of our virtualization series. The goal of this research is to understand the potential for application virtualization to be used as an attack vector. In this research, a dozen virtualization apps were tested for regular use cases and as hacking tools. The Application Protection for Android product was evaluated as a mitigation solution with all of the tested virtualization apps.
Evaluation of Virtualization Apps
This section goes through the most popular open-source and closed-source virtualization apps. Each app is evaluated on usability, ease of compilation or modification, and how well Application Protection for Android can protect against attacks in the virtualized environment. We’ve attempted to list applications that represent all of the different types of virtualization methods. Some apps are more popular than others, and the apps are discussed in rough order from most to least popular.
Open Source
Virtual App
Virtual App is a partially virtualized Android system. The full feature list can be found in project README.MD. This project was open-sourced up until 2017, and since then it has not been updated. However, premium customers can still obtain more recent versions now-closed source code. There are no prebuilt binaries in Github. Compiling the source is challenging and many errors require manual fixing.
The project has many forks. The following fork actually maintains versions of Android that came out after 2017.
Our initial attempts to compile VirtualApp failed, but the project is considered an inspiration for other virtualization projects.
Application Protection for Android guards triggered: Virtualization detection
VirtualXposed
The VirtualXposed is another partial Android virtualize based on the VirtualApp project. VirtualXposed main feature is that it allows using the Xposed framework on a non-rooted device in a virtualized environment. This project is suffering from stability issues. VirtualXposed failed to install the Xposed add on both devices used for testing. On one device VirtualXposed even failed to launch the virtualized app. Many other projects try to replicate VirtualXposed idea.
Application Protection for Android guards triggered: Virtualization detection, Hook detection, Dynamic Instrumentation detection, Root detection, Signature check, and Emulator detection crashes the app.
VirtualApp2022
VirtualApp2022 is inspired by VirtualXposed and based on VirtualApp. Works great on Android 11. In the README.MD developer states that they support Xposed plugins.
Application Protection for Android guards triggered: Virtualization detection
Twoyi
Twoyi is an Android system app that virtualizes whole ROM images. By default, it virtualizes Android 8.1.0 with a pre-installed Superuser app. Because Twoyi can virtualize custom ROM images it could, in theory, be used to virtualize ROM patched with Magisk, run LSPosed, or run other threat tools.
Application Protection for Android guards triggered: Root detection and Emulator detection
MultiApp
MultiApp works well. It’s difficult to determine the exact virtualization technique MultiApp uses but it is likely either a partial Android system virtualization or it is virtualizing applications as a host. This project is only partially open- The app UI and launcher are open-source, but the main virtualization logic is shipped in precompiled JARs and APKs.
Application Protection for Android guards triggered: Virtualization detection
TaiChi
TaiChi is a VirtualXposed-inspired virtualization app that can use Xposed modules on non-rooted devices. Unfortunately, this project isn’t stable as it failed to install or run virtualized apps on both testing devices.
Application Protection for Android guards triggered: Virtual Detection
VirtualApk, Phantom, and DroidPlugin
VirtualApk, Phantom, and DroidPlugin projects are SDKs that allow users to create host applications that can virtualize target apps inside them. Due to a lack of time, these frameworks were not tested.
Application Protection for Android guards triggered: – Virtualization detection
Closed source
Parallel Space, Dual Space, and other
Other:
- https://play.google.com/store/apps/details?id=com.excelliance.multiaccounts&hl=en&gl=US
- https://play.google.com/store/apps/details?id=multi.parallel.dualspace.cloner&hl=en&gl=US
- https://play.google.com/store/apps/details?id=com.cloneapp.parallelspace.dualspace&hl=en&gl=US
- https://play.google.com/store/apps/details?id=com.excelliance.multiaccount&hl=en&gl=US
- https://play.google.com/store/apps/details?id=com.excean.parallelspace&hl=en&gl=US
- https://play.google.com/store/apps/details?id=do.multiple.cloner&hl=en&gl=US
- https://www.apkmirror.com/apk/nox-ltd/noxapp-multiple-accounts-clone-app/
One of the most popular virtualization apps from the Google Play store. To use Parallel Space with GameGuardian, an unofficial “optimized“ version of the Parallel Space app needs to be downloaded from the GameGuardian forum.
GameGuardian optimized versions:
- https://gameguardian.net/forum/files/file/120-parallel-space-32-bit-support-64-bit-support/
- https://gameguardian.net/forum/files/file/213-dualspace-32-bit-support-64-bit-support/
- https://gameguardian.net/forum/files/file/194-virtual-space/
- https://gameguardian.net/forum/files/file/225-octopus-32-bit-support-64-bit-support/
- https://gameguardian.net/forum/files/file/122-go-multiple/
Application Protection for Android guards triggered: Virtualization detection and Dynamic Instrumentation detection (Parallel Space memory tampering detected)
SpaceCore
SpaceCore is a new partially open-sourced virtualization app. Virtualization logic is closed-sourced. The app can’t be compiled from the source since it is missing the source of the core library. Demo builds are stable and can run most tested apps. The menu contains a placeholder for Xposed Manager which still isn’t available.
Application Protection for Android guards triggered: Virtualization detection
AppCloner
AppCloner is a repackaging-based virtualize that repackages target application under another package name and installs it on the system. The virtualization technique is simple but can’t be used together with other threat tools to tamper target apps without root access.
Application Protection for Android guards triggered: Virtualization detection
Island
Island is a work profile-based virtualization solution that isolates apps within work profiles. During Application Protection for Android Virtualization, guard creation reports stated that Island was used to isolate victim applications from other apps and GameGuardian was used to tamper application memory undetected.
Application Protection for Android guards triggered: Virtualization detection
Summary
Virtualization is useful for both regular users and threat actors. Many virtualization apps allow threat actors to virtually create a malicious environment on a non-rooted device. Even though there are many open-source projects, the majority of them can’t be easily compiled and modified.
Virtualization is achieved in many different ways, starting from application repackaging to the whole Android system virtualization. All of the virtualization apps that we tested for this paper were detected by the Application Protection for Android product.
Additional resources
https://github.com/pianpian315/VirtualAndroid/blob/master/Mobile%20Virtualization%20Technologies.pdf
https://github.com/ysrc/AntiVirtualApp
Catch up on part one of the series, which you can find here.
Are you ready to scale your enterprise?
Explore
What's New In The World of Digital.ai
Guide to iOS App Security Best Practices
Learn about iOS app security best practices; including hardening, code obfuscation, authentication, & network security, to safeguard your apps against potential threats.
Understanding Magisk and the Shamiko Module: Unpacking Claims of Bypassing Digital.ai’s Android Security
Discover the capabilities of Magisk and its modules. Explore functionality, integration, security implications, Shamiko, and app hardening solutions.
Digital.ai Becomes First App Hardening Vendor to Receive FIPS140-3 Validation for Key and Data Protection
Digital.ai’s Key & Data Protection module achieves FIPS 140-3 validation, enhancing security for mobile apps & ensuring regulatory compliance across industries.