Android — wirtualizacja na poziomie aplikacji (App Cloning)

Tip

Ucz się i ćwicz Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Ucz się i ćwicz Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Ucz się i ćwicz Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Wsparcie dla HackTricks

Wirtualizacja na poziomie aplikacji (znana także jako app cloning/container frameworks such as DroidPlugin-class loaders) uruchamia wiele APK wewnątrz pojedynczej aplikacji-host, która kontroluje lifecycle, class loading, storage i permissions. Goście często wykonują się w ramach host UID, co znosi normalną izolację aplikacji w Androidzie i utrudnia wykrywanie, ponieważ system widzi jeden proces/UID.

Baseline install/launch vs virtualized execution

  • Normal install: Package Manager extracts APK → /data/app/<rand>/com.pkg-<rand>/base.apk, assigns a unique UID, and Zygote forks a process that loads classes.dex.
  • Dex load primitive: DexFile.openDexFile() delegates to openDexFileNative() using absolute paths; virtualization layers commonly hook/redirect this to load guest dex from host-controlled paths.
  • Virtualized launch: Host starts a process under its UID, loads the guest’s base.apk/dex with a custom loader, and exposes lifecycle callbacks via Java proxies. Guest storage API calls are remapped to host-controlled paths.

Abuse patterns

  • Permission escalation via shared UID: Guests run under the host UID and can inherit all host-granted permissions even if not declared in the guest manifest. Over-permissioned hosts (massive AndroidManifest.xml) become “permission umbrellas”.
  • Stealthy code loading: Host hooks openDexFileNative/class loaders to inject, replace, or instrument guest dex at runtime, bypassing static analysis.
  • Malicious host vs malicious guest:
  • Evil host: acts as dropper/executor, instruments/filters guest behavior, tampers with crashes.
  • Evil guest: abuses shared UID to reach other guests’ data, ptrace them, or leverage host permissions.

Fingerprinting i wykrywanie

  • Multiple base.apk in one process: A container often maps several APKs in the same PID.
adb shell "cat /proc/<pid>/maps | grep base.apk"
# Suspicious: host base.apk + unrelated packages mapped together
  • Hooking/instrumentation artifacts: Search for known libs (e.g., Frida) in maps and confirm on disk.
adb shell "cat /proc/<pid>/maps | grep frida"
adb shell "file /data/app/..../lib/arm64/libfrida-gadget.so"
  • Crash-tamper probe: Intentionally trigger an exception (e.g., NPE) and observe whether the process dies normally; hosts that intercept lifecycle/crash paths may swallow or rewrite crashes.

Uwagi dotyczące utwardzania

  • Server-side attestation: Enforce sensitive operations behind Play Integrity tokens so only genuine installs (not dynamically loaded guests) are accepted server-side.
  • Use stronger isolation: For highly sensitive code, prefer Android Virtualization Framework (AVF)/TEE-backed execution instead of app-level containers that share a UID.

References

Tip

Ucz się i ćwicz Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Ucz się i ćwicz Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Ucz się i ćwicz Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Wsparcie dla HackTricks