Intro to the World of Virtualization – Part II

By Egidijus Lileika, Sr. Security Researcher

 

Welcome to part two of our virtualization series. The goal of this research is to understand the potential for application virtualization to be used as an attack vector. In this research, a dozen virtualization apps were tested for regular use cases and as hacking tools. The Application Protection for Android product was evaluated as a mitigation solution with all of the tested virtualization apps.

Evaluation of Virtualization Apps

This section goes through the most popular open-source and closed-source virtualization apps. Each app is evaluated on usability, ease of compilation or modification, and how well Application Protection for Android can protect against attacks in the virtualized environment. We’ve attempted to list applications that represent all of the different types of virtualization methods. Some apps are more popular than others, and the apps are discussed in rough order from most to least popular.

Open Source

Virtual App

Virtual App is a partially virtualized Android system. The full feature list can be found in project README.MD. This project was open-sourced up until 2017, and since then it has not been updated. However, premium customers can still obtain more recent versions now-closed source code. There are no prebuilt binaries in Github. Compiling the source is challenging and many errors require manual fixing.

The project has many forks. The following fork actually maintains versions of Android that came out after 2017.

Our initial attempts to compile VirtualApp failed, but the project is considered an inspiration for other virtualization projects.

Application Protection for Android guards triggered: Virtualization detection

VirtualXposed

The VirtualXposed is another partial Android virtualize based on the VirtualApp project. VirtualXposed main feature is that it allows using the Xposed framework on a non-rooted device in a virtualized environment. This project is suffering from stability issues. VirtualXposed failed to install the Xposed add on both devices used for testing. On one device VirtualXposed even failed to launch the virtualized app. Many other projects try to replicate VirtualXposed idea.

Application Protection for Android guards triggered: Virtualization detection, Hook detection, Dynamic Instrumentation detection, Root detection, Signature check, and Emulator detection crashes the app.

VirtualApp2022

VirtualApp2022 is inspired by VirtualXposed and based on VirtualApp. Works great on Android 11. In the README.MD developer states that they support Xposed plugins.

Application Protection for Android guards triggered: Virtualization detection

Twoyi

Twoyi is an Android system app that virtualizes whole ROM images. By default, it virtualizes Android 8.1.0 with a pre-installed Superuser app. Because Twoyi can virtualize custom ROM images it could, in theory, be used to virtualize ROM patched with Magisk, run LSPosed, or run other threat tools.

Application Protection for Android guards triggered: Root detection and Emulator detection

MultiApp

MultiApp works well. It’s difficult to determine the exact virtualization technique MultiApp uses but it is likely either a partial Android system virtualization or it is virtualizing applications as a host. This project is only partially open- The app UI and launcher are open-source, but the main virtualization logic is shipped in precompiled JARs and APKs.

Application Protection for Android guards triggered: Virtualization detection

TaiChi

TaiChi is a VirtualXposed-inspired virtualization app that can use Xposed modules on non-rooted devices. Unfortunately, this project isn’t stable as it failed to install or run virtualized apps on both testing devices.

Application Protection for Android guards triggered: Virtual Detection

VirtualApk, Phantom, and DroidPlugin

VirtualApk, Phantom, and DroidPlugin projects are SDKs that allow users to create host applications that can virtualize target apps inside them. Due to a lack of time, these frameworks were not tested.

Application Protection for Android guards triggered: – Virtualization detection

Closed source

Parallel Space, Dual Space, and other

Other:

• https://play.google.com/store/apps/details?id=com.excelliance.multiaccounts&hl=en&gl=US
• https://play.google.com/store/apps/details?id=multi.parallel.dualspace.cloner&hl=en&gl=US
• https://play.google.com/store/apps/details?id=com.cloneapp.parallelspace.dualspace&hl=en&gl=US
• https://play.google.com/store/apps/details?id=com.excelliance.multiaccount&hl=en&gl=US
• https://play.google.com/store/apps/details?id=com.excean.parallelspace&hl=en&gl=US
• https://play.google.com/store/apps/details?id=do.multiple.cloner&hl=en&gl=US
• https://www.apkmirror.com/apk/nox-ltd/noxapp-multiple-accounts-clone-app/

One of the most popular virtualization apps from the Google Play store. To use Parallel Space with GameGuardian, an unofficial “optimized“ version of the Parallel Space app needs to be downloaded from the GameGuardian forum.

GameGuardian optimized versions:

• https://gameguardian.net/forum/files/file/120-parallel-space-32-bit-support-64-bit-support/
• https://gameguardian.net/forum/files/file/213-dualspace-32-bit-support-64-bit-support/
• https://gameguardian.net/forum/files/file/194-virtual-space/
• https://gameguardian.net/forum/files/file/225-octopus-32-bit-support-64-bit-support/
• https://gameguardian.net/forum/files/file/122-go-multiple/

Application Protection for Android guards triggered: Virtualization detection and Dynamic Instrumentation detection (Parallel Space memory tampering detected)

SpaceCore

SpaceCore is a new partially open-sourced virtualization app. Virtualization logic is closed-sourced. The app can’t be compiled from the source since it is missing the source of the core library. Demo builds are stable and can run most tested apps. The menu contains a placeholder for Xposed Manager which still isn’t available.

Application Protection for Android guards triggered: Virtualization detection

AppCloner

AppCloner is a repackaging-based virtualize that repackages target application under another package name and installs it on the system. The virtualization technique is simple but can’t be used together with other threat tools to tamper target apps without root access.

Application Protection for Android guards triggered: Virtualization detection

Island

Island is a work profile-based virtualization solution that isolates apps within work profiles. During Application Protection for Android Virtualization, guard creation reports stated that Island was used to isolate victim applications from other apps and GameGuardian was used to tamper application memory undetected.

Application Protection for Android guards triggered: Virtualization detection

Summary

Virtualization is useful for both regular users and threat actors. Many virtualization apps allow threat actors to virtually create a malicious environment on a non-rooted device. Even though there are many open-source projects, the majority of them can’t be easily compiled and modified.

Virtualization is achieved in many different ways, starting from application repackaging to the whole Android system virtualization. All of the virtualization apps that we tested for this paper were detected by the Application Protection for Android product.

Additional resources

https://github.com/pianpian315/VirtualAndroid/blob/master/Mobile%20Virtualization%20Technologies.pdf

https://github.com/ysrc/AntiVirtualApp