Introduction
The goal of this research is to understand the potential for application virtualization to be used as an attack vector. In this research, a dozen virtualization apps were tested for regular use cases and as hacking tools. The Application Protection for Android product was evaluated as a mitigation solution with all of the tested virtualization apps.
Virtualization Apps for “Normal” Use
The majority of virtualization apps available to “normal” users are downloadable from the Google Play store. These apps have hundreds of millions of downloads. One of the most popular ones is Parallel Space. The primary target audience for these apps is people who have more than one account in specific apps such as social media apps. Virtualization apps allow end-users to have multiple instances of a single app running at the same time -- no need to log out and sign into another account. Some virtualization apps present themselves as privacy-enhancing apps. Apps installed in virtual spaces are often – but not always -- isolated from the regular Android system in one way or another.
Virtualization Apps as Hacker Tools
On the other end of the user spectrum are hackers. Virtualization can be utilized for different reasons. One of the main benefits of virtualization is that virtualized apps have more privileged processes than targeted apps, thus allowing the virtualization app to interact with the target app freely. Virtualization, one way or another, bypasses Android’s security model by creating a more permissive environment in the virtualization app sandbox. Many kinds of virtualization apps provide “fake root“ access and hooking services provided by hooking frameworks like Xposed. And all of this can be achieved on a non-rooted phone -- meaning that malicious activity can be performed on verified devices.
Virtualized environments open possibilities for the following malicious activities:
- Cheating in games -- software like GameGuardian running in a virtualized environment can achieve almost everything it could do on a rooted device.
- Hooking -- virtualization software like VirtualXposed allows the injection of Xposed modules in virtualized apps thus changing their behavior. For instance, VirtualXposed could be used to bypass ads on the YouTube app.
- Fake root -- some virtualization apps provide access to fake “super users“ in order to run software with escalated privileges. For instance, a fake root could be used to run the Frida server on a non-rooted device.
- Virtual location -- the majority of virtualization apps provide location spoofing services. This is particularly useful to bypass geolocation-based verifications or to cheat in games based on geolocation like Pokémon Go.
- Dynamic analysis -- some popular virtualization apps are open-source and can be modified through custom plugins. From within the plugin, users might dynamically instrument virtualized applications, observe application behavior, and capture network traffic.
Virtualization App Categories
App virtualization is a broad term. App virtualization can be achieved in many different ways and not necessarily by virtualizing the Android system. App virtualization is a good term for generalizing the idea of running applications in an irregular environment. Following are a few of the many different flavors of App Virtualization:
Work Profile Isolation
Some of the virtualization apps achieve virtualization by creating a separate work profile and isolating the virtualized app inside it. A work profile is a set up on an Android device to separate “work” apps and data from personal apps and data. The work profile lives on a separate part of the device isolated from the rest of the system. Isolating an app with a work profile is not necessarily good as a potentially malicious app running in regular user space, with root access, probably can’t be detected since the work profile isolated app can only see apps that are in the same work profile. For instance, such an attack strategy is being abused by game hackers that use GameGuardian on a rooted device with root privileges and run the target application in the isolated work profile. "The Island app is an application that is freely available on the Google Play store and allows users to clone particular applications. The Island app is also a good example of “work profile isolation”."
Cloning and Repacking
Another kind of virtualization app achieves virtualization by cloning or repackaging the target application. Usually, the process is straightforward. As a baseline, these apps are getting copied and their package name gets modified to some kind of unique package name. To bypass all kinds of checks and verifications, such virtualization apps inject their own code to patch or hook methods that are responsible for package name and signature retrieval, and other methods to make the application believe that it is the original app. Since the application ID has changed, both the original and cloned app can coexist on the same Android system. That kind of virtualization is the fastest since there is no virtualization overhead. The AppCloner app is one example of this kind of app. AppCloner is also freely available on the Google Play store.
Application Hosts
“Application hosts” are another kind of virtualization technique. Application hosts virtualize by loading the target application into itself and running it. This is a relatively simple approach to virtualizing an app, but it comes with certain limitations. For instance, such Application hosts can usually only run a single instance of the app at a time, or a very limited number of apps at the same time. Some virtualization technologies that employ such a strategy are shipped as SDKs allowing the user to create their own host app for specific apps with specific capabilities. Such SDKs also open possibilities for use of hooking frameworks and just in general application dynamic analysis with instrumentation. VirtualApk and Phantom are notable examples of such a virtualization approach.
Whole Android System Virtualization
Some virtualization apps are virtualizing the whole Android system. A few of them are even booting the whole Android system from any ROM (Read-only memory) image. This kind of virtualization is the slowest but the most powerful one since this approach literally emulates the entire Android phone. Custom ROM images or files can be patched, customized, rooted with Magisk, etc. There is almost no way for a virtualized application to interact with the outside Android system and know what is happening there. Virtualization like this can be used to run target applications in normal looking virtualized Android systems without root access, however, the original Android system could be rooted and run additional dynamic analysis software to tamper with virtualized app. Twoyi is one of the most popular apps that virtualize the whole Android system.
Partial Android Runtime Virtualization
Last but not least, some virtualization apps achieve partial Android system virtualization. Usually, such virtualization apps recreate the majority of the Android system using proxies and dummy processes. Hooking is a very important part of such virtualization techniques since many things need to be intercepted and patched during communication between virtualized app processes and the rest of the system. Also, this method is complicated to maintain between different Android versions and across different Android device vendors. Usually, such a virtualization approach suffers from stability issues. However, the partial Android runtime virtualization technique is one of the most powerful virtualization techniques: A well implemented partial Android runtime virtualization can be completely undetectable. VirtualApp is one of the most famous partial android runtime virtualizations available.
Can Virtualization Apps be Trusted?
As mentioned before, the many virtualization apps in the Google Play store promise to increase privacy to make regular users believe that virtualization improves user privacy. This claim should be taken with a grain of salt. The fact that the virtualized app is isolated from the rest of the system increases privacy. However, the virtualization app has more privileges over virtualized app than any other third-party application installed on the Android system. There is no guarantee that the virtualization app is not using those privileges to steal the users’ personal information.
The majority of virtualization apps are bloated with ads. Some of them actually inject additional adware code into the virtualized app. There are a nearly infinite number of things that could be injected into the virtualized application without user consent.
Also, the usage of virtualization software might be against the terms of use of the virtualized application, meaning use of virtualization software could lead to an account ban.
Evaluation of Virtualization Apps
This section goes through the most popular open-source and closed-source virtualization apps. Each app is evaluated on usability, ease of compilation or modification, and how well Application Protection for Android can protect against attacks in the virtualized environment. We’ve attempted to list applications that represent all of the different types of virtualization methods. Some apps are more popular than others, and the apps are discussed in rough order from most to least popular.
Open-source:
VirtualApp
https://github.com/asLody/VirtualApp
This is a partially virtualized Android system. The full feature list can be found in project README.MD. This project was open-sourced up until 2017, and since then it has not been updated. However, premium customers can still obtain more recent versions now-closed source code. There are no prebuilt binaries in Github. Compiling the source is challenging and many errors require manual fixing. The project has many forks. The following fork actually maintains versions of Android that came out after 2017:
https://github.com/ServenScorpion/VirtualApp
Our initial attempts to compile VirtualApp failed, but the project is a considered an inspiration for other virtualization projects. Application Protection for Android guards triggered: Virtualization detection
VirtualXposed
https://github.com/android-hacker/VirtualXposed
The VirtualXposed is another partial Android virtualize based on the VirtualApp project. VirtualXposed main feature is that it allows using the Xposed framework on a non-rooted device in a virtualized environment. This project is suffering from stability issues. VirtualXposed failed to install the Xposed add on both devices used for testing. On one device VirtualXposed even failed to launch the virtualized app. Many other projects try to replicate VirtualXposed idea.
Application Protection for Android guards triggered: Virtualization detection, Hook detection, Dynamic Instrumentation detection, Root detection, Signature check, and Emulator detection crashes the app.
VirtualApp2022
https://github.com/justin0kg/VirtualApp2022
Inspired by the VirtualXposed and based on VirtualApp. Works great on Android 11. In the README.MD developer states that they support Xposed plugins.
Application Protection for Android guards triggered: Virtualization detection
Twoyi
https://github.com/twoyi/twoyi
Twoyi is an Android system app that virtualizes whole ROM images. By default, it virtualizes Android 8.1.0 with a pre-installed Superuser app. Because Twoyi can virtualize custom ROM images it could, in theory, be used to virtualize ROM patched with Magisk, run LSPosed, or run other threat tools.
Application Protection for Android guards triggered: Root detection and Emulator detection
MultiApp
https://github.com/WaxMoon/MultiApp
MultiApp works well. It’s difficult to determine the exact virtualization technique multiapp uses but it is likely either a partial Android system virtualization or it is virtualizing applications as a host. This project is only partially open- The app UI and launcher are open-source, but the main virtualization logic is shipped in precompiled JARs and APKs.
Application Protection for Android guards triggered: Virtualization detection
TaiChi
https://github.com/taichi-framework/TaiChi
VirtualXposed inspired virtualization app that can use Xposed modules on non rooted devices. Unfortunately, this project isn’t stable as it failed to install or run virtualized apps on both testing devices.
Application Protection for Android guards triggered: Virtual Detection
VirtualApk, Phantom, and DroidPlugin
https://github.com/didi/VirtualAPK
https://github.com/ManbangGroup/Phantom
https://github.com/DroidPluginTeam/DroidPlugin
VirtualApk, Phantom, and DroidPlugin projects are SDKs that allow users to create host applications that can virtualize target apps inside them. Due to a lack of time, these frameworks were not tested.
Application Protection for Android guards triggered: - Virtualization detection
Closed-source:
Parallel Space, Dual Space, and other
https://play.google.com/store/apps/details?id=com.lbe.parallel.intl
https://play.google.com/store/apps/details?id=com.ludashi.dualspace&hl=en&gl=US
https://play.google.com/store/apps/details?id=com.excelliance.multiaccounts&hl=en&gl=US
https://play.google.com/store/apps/details?id=multi.parallel.dualspace.cloner&hl=en&gl=US
https://play.google.com/store/apps/details?id=com.cloneapp.parallelspace.dualspace&hl=en&gl=US
https://play.google.com/store/apps/details?id=com.excelliance.multiaccount&hl=en&gl=US
https://play.google.com/store/apps/details?id=com.excean.parallelspace&hl=en&gl=US
https://play.google.com/store/apps/details?id=do.multiple.cloner&hl=en&gl=US
https://www.apkmirror.com/apk/nox-ltd/noxapp-multiple-accounts-clone-app/
One of the most popular virtualization apps from the Google Play store. To use Parallel Space with GameGuardian, an unofficial “optimized“ version of the Parallel Space app needs to be downloaded from the GameGuardian forum.
GameGuardian optimized versions:
https://gameguardian.net/forum/files/file/120-parallel-space-32-bit-support-64-bit-support/
https://gameguardian.net/forum/files/file/213-dualspace-32-bit-support-64-bit-support/
https://gameguardian.net/forum/files/file/194-virtual-space/
https://gameguardian.net/forum/files/file/225-octopus-32-bit-support-64-bit-support/
https://gameguardian.net/forum/files/file/122-go-multiple/
Application Protection for Android guards triggered: Virtualization detection and Dynamic Instrumentation detection (Parallel Space memory tampering detected)
SpaceCore
https://github.com/FSpaceCore/SpaceCore
SpaceCore is a new partially open-sourced virtualization app. Virtualization logic is closed-sourced. The app can’t be compiled from the source since it is missing the source of the core library. Demo builds are stable and can run most tested apps. The menu contains a placeholder for Xposed Manager which still isn’t available.
Application Protection for Android guards triggered: Virtualization detection
AppCloner
AppCloner is a repackaging based virtualize that repackages target application under another package name and installs it on the system. The virtualization technique is simple but can’t be used together with other threat tools to tamper target apps without root access.
Application Protection for Android guards triggered: Virtualization detection
Island
https://play.google.com/store/apps/details?id=com.oasisfeng.island&hl=en&gl=US&pli=1
Island is a work profile-based virtualization solution that isolates apps within work profiles. During Application Protection for Android Virtualization guard creation reports stated that Island was used to isolate victim applications from other apps and GameGuardian was used to tamper application memory undetected.
Application Protection for Android guards triggered: Virtualization detection
Summary
Virtualization is useful for both regular users and hackers. Many virtualization apps allow hackers to virtually create a malicious environment on a non-rooted device. Even though there are many open-source projects, the majority of them can’t be easily compiled and modified.
Virtualization is achieved in many different ways, starting from application repackaging to whole Android system virtualization. All of the virtualization apps that we tested for this paper were detected by the Application Protection for Android product.
Additional Resources
About Digital.ai
Digital.ai is an industry-leading technology company dedicated to helping Global 5000 enterprises achieve digital transformation goals. The company’s AI-powered DevSecOps platform unifies, secures, and generates predictive insights across the software lifecycle. Digital.ai empowers organizations to scale software development teams, continuously deliver software with greater quality and security while uncovering new market opportunities and enhancing business value through smarter software investments.
Additional information about Digital.ai can be found at digital.ai and on Twitter, LinkedIn and Facebook.
Learn more at Digital.ai Application Security
