Android Application-Level Virtualization (App Cloning)

Tip

Aprenda e pratique Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Aprenda e pratique Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporte o HackTricks

Application-level virtualization (aka app cloning/container frameworks such as DroidPlugin-class loaders) executa múltiplos APKs dentro de um único app host que controla o ciclo de vida, o carregamento de classes, armazenamento e permissões. Guests frequentemente executam dentro do UID do host, colapsando o isolamento normal por app do Android e tornando a detecção difícil porque o sistema vê um único processo/UID.

Baseline install/launch vs virtualized execution

  • Normal install: Package Manager extracts APK → /data/app/<rand>/com.pkg-<rand>/base.apk, assigns a unique UID, and Zygote forks a process that loads classes.dex.
  • Dex load primitive: DexFile.openDexFile() delegates to openDexFileNative() using absolute paths; virtualization layers commonly hook/redirect this to load guest dex from host-controlled paths.
  • Virtualized launch: Host starts a process under its UID, loads the guest’s base.apk/dex with a custom loader, and exposes lifecycle callbacks via Java proxies. Guest storage API calls are remapped to host-controlled paths.

Abuse patterns

  • Permission escalation via shared UID: Guests run under the host UID and can inherit all host-granted permissions even if not declared in the guest manifest. Over-permissioned hosts (massive AndroidManifest.xml) become “permission umbrellas”.
  • Stealthy code loading: Host hooks openDexFileNative/class loaders to inject, replace, or instrument guest dex at runtime, bypassing static analysis.
  • Malicious host vs malicious guest:
  • Evil host: age como dropper/executor, instrumenta/filtra o comportamento do guest e manipula crashes.
  • Evil guest: abusa do shared UID para alcançar dados de outros guests, ptrace-os, ou aproveitar permissões do host.

Fingerprinting & detection

  • Multiple base.apk in one process: A container often maps several APKs in the same PID.
adb shell "cat /proc/<pid>/maps | grep base.apk"
# Suspicious: host base.apk + unrelated packages mapped together
  • Hooking/instrumentation artifacts: Search for known libs (e.g., Frida) in maps and confirm on disk.
adb shell "cat /proc/<pid>/maps | grep frida"
adb shell "file /data/app/..../lib/arm64/libfrida-gadget.so"
  • Crash-tamper probe: Intentionally trigger an exception (e.g., NPE) and observe whether the process dies normally; hosts that intercept lifecycle/crash paths may swallow or rewrite crashes.

Hardening notes

  • Server-side attestation: Enforce sensitive operations behind Play Integrity tokens so only genuine installs (not dynamically loaded guests) are accepted server-side.
  • Use stronger isolation: For highly sensitive code, prefer Android Virtualization Framework (AVF)/TEE-backed execution instead of app-level containers that share a UID.

References

Tip

Aprenda e pratique Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Aprenda e pratique Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporte o HackTricks