By Egidijus Lileika, Sr. Security Researcher


Welcome to part two of our virtualization series. The goal of this research is to understand the potential for application virtualization to be used as an attack vector. In this research, a dozen virtualization apps were tested for regular use cases and as hacking tools. The Application Protection for Android product was evaluated as a mitigation solution with all of the tested virtualization apps.

Evaluation of Virtualization Apps

This section goes through the most popular open-source and closed-source virtualization apps. Each app is evaluated on usability, ease of compilation or modification, and how well Application Protection for Android can protect against attacks in the virtualized environment. We’ve attempted to list applications that represent all of the different types of virtualization methods. Some apps are more popular than others, and the apps are discussed in rough order from most to least popular.

Open Source

Virtual App

Virtual App is a partially virtualized Android system. The full feature list can be found in project README.MD. This project was open-sourced up until 2017, and since then it has not been updated. However, premium customers can still obtain more recent versions now-closed source code. There are no prebuilt binaries in Github. Compiling the source is challenging and many errors require manual fixing.

The project has many forks. The following fork actually maintains versions of Android that came out after 2017.

Our initial attempts to compile VirtualApp failed, but the project is considered an inspiration for other virtualization projects.

Application Protection for Android guards triggered: Virtualization detection


The VirtualXposed is another partial Android virtualize based on the VirtualApp project. VirtualXposed main feature is that it allows using the Xposed framework on a non-rooted device in a virtualized environment. This project is suffering from stability issues. VirtualXposed failed to install the Xposed add on both devices used for testing. On one device VirtualXposed even failed to launch the virtualized app. Many other projects try to replicate VirtualXposed idea.

Application Protection for Android guards triggered: Virtualization detection, Hook detection, Dynamic Instrumentation detection, Root detection, Signature check, and Emulator detection crashes the app.


VirtualApp2022 is inspired by VirtualXposed and based on VirtualApp. Works great on Android 11. In the README.MD developer states that they support Xposed plugins.

Application Protection for Android guards triggered: Virtualization detection


Twoyi is an Android system app that virtualizes whole ROM images. By default, it virtualizes Android 8.1.0 with a pre-installed Superuser app. Because Twoyi can virtualize custom ROM images it could, in theory, be used to virtualize ROM patched with Magisk, run LSPosed, or run other threat tools.

Application Protection for Android guards triggered: Root detection and Emulator detection


MultiApp works well. It’s difficult to determine the exact virtualization technique MultiApp uses but it is likely either a partial Android system virtualization or it is virtualizing applications as a host. This project is only partially open- The app UI and launcher are open-source, but the main virtualization logic is shipped in precompiled JARs and APKs.

Application Protection for Android guards triggered: Virtualization detection


TaiChi is a VirtualXposed-inspired virtualization app that can use Xposed modules on non-rooted devices. Unfortunately, this project isn’t stable as it failed to install or run virtualized apps on both testing devices.

Application Protection for Android guards triggered: Virtual Detection

VirtualApk, Phantom, and DroidPlugin

VirtualApk, Phantom, and DroidPlugin projects are SDKs that allow users to create host applications that can virtualize target apps inside them. Due to a lack of time, these frameworks were not tested.

Application Protection for Android guards triggered: – Virtualization detection

Closed source

Parallel Space, Dual Space, and other



One of the most popular virtualization apps from the Google Play store. To use Parallel Space with GameGuardian, an unofficial “optimized“ version of the Parallel Space app needs to be downloaded from the GameGuardian forum.

GameGuardian optimized versions:


Application Protection for Android guards triggered: Virtualization detection and Dynamic Instrumentation detection (Parallel Space memory tampering detected)


SpaceCore is a new partially open-sourced virtualization app. Virtualization logic is closed-sourced. The app can’t be compiled from the source since it is missing the source of the core library. Demo builds are stable and can run most tested apps. The menu contains a placeholder for Xposed Manager which still isn’t available.

Application Protection for Android guards triggered: Virtualization detection


AppCloner is a repackaging-based virtualize that repackages target application under another package name and installs it on the system. The virtualization technique is simple but can’t be used together with other threat tools to tamper target apps without root access.

Application Protection for Android guards triggered: Virtualization detection


Island is a work profile-based virtualization solution that isolates apps within work profiles. During Application Protection for Android Virtualization, guard creation reports stated that Island was used to isolate victim applications from other apps and GameGuardian was used to tamper application memory undetected.

Application Protection for Android guards triggered: Virtualization detection


Virtualization is useful for both regular users and threat actors. Many virtualization apps allow threat actors to virtually create a malicious environment on a non-rooted device. Even though there are many open-source projects, the majority of them can’t be easily compiled and modified.

Virtualization is achieved in many different ways, starting from application repackaging to the whole Android system virtualization. All of the virtualization apps that we tested for this paper were detected by the Application Protection for Android product.

Additional resources

Are you ready to scale your enterprise?


What's New In The World of

March 28, 2024 and FS-ISAC: Forging a Safer Future in Financial Services

Exciting news: is now a proud affiliate of FS-ISAC, fortifying financial cybersecurity!

Learn More
March 20, 2024

Exploring Reverse Engineering: Benefits, Misuse, and the Role of Application Hardening

Uncover the world of reverse engineering: its benefits, potential misuse, and the role of application hardening in thwarting threats.

Learn More
March 14, 2024

Worship at the Steve Jobs Cathedral or Embrace the EU’s Bazaar: How to Navigate the Digital Marketplace Act

Explore the impact of the Digital Marketplace Act on app security and consumer choice, and get advice for enterprises navigating the evolving landscape.

Learn More