Android Uygulama Düzeyinde Sanallaştırma (App Cloning)

Tip

AWS Hacking’i öğrenin ve pratik yapın:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking’i öğrenin ve pratik yapın: HackTricks Training GCP Red Team Expert (GRTE) Azure Hacking’i öğrenin ve pratik yapın: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks'i Destekleyin

• abonelik planlarını kontrol edin!
• 💬 Discord grubuna veya telegram grubuna katılın ya da Twitter’da bizi takip edin 🐦 @hacktricks_live.**
• Hacking ipuçlarını paylaşmak için HackTricks ve HackTricks Cloud github reposuna PR gönderin.

Uygulama düzeyindeki sanallaştırma (aka app cloning/container frameworks such as DroidPlugin-class loaders) tek bir host uygulama içinde birden çok APK çalıştırır; host lifecycle, class loading, storage ve permissions’ı kontrol eder. Guests genellikle host UID içinde çalışır, Android’in normal uygulama başına izolasyonunu çökertir ve tespit edilmesini zorlaştırır çünkü sistem tek bir process/UID görür.

Baseline install/launch vs virtualized execution

• Normal install: Package Manager extracts APK → /data/app/<rand>/com.pkg-<rand>/base.apk, assigns a unique UID, and Zygote forks a process that loads classes.dex.
• Dex load primitive: DexFile.openDexFile() delegates to openDexFileNative() using absolute paths; virtualization layers commonly hook/redirect this to load guest dex from host-controlled paths.
• Virtualized launch: Host starts a process under its UID, loads the guest’s base.apk/dex with a custom loader, and exposes lifecycle callbacks via Java proxies. Guest storage API calls are remapped to host-controlled paths.

İstismar kalıpları

• Permission escalation via shared UID: Guests run under the host UID and can inherit all host-granted permissions even if not declared in the guest manifest. Over-permissioned hosts (massive AndroidManifest.xml) become “permission umbrellas”.
• Stealthy code loading: Host hooks openDexFileNative/class loaders to inject, replace, or instrument guest dex at runtime, bypassing static analysis.
• Malicious host vs malicious guest:
• Evil host: acts as dropper/executor, instruments/filters guest behavior, tampers with crashes.
• Evil guest: abuses shared UID to reach other guests’ data, ptrace them, or leverage host permissions.

Parmak izi çıkarma & tespit

• Multiple base.apk in one process: A container often maps several APKs in the same PID.

adb shell "cat /proc/<pid>/maps | grep base.apk"
# Suspicious: host base.apk + unrelated packages mapped together

• Hooking/instrumentation artifacts: Search for known libs (e.g., Frida) in maps and confirm on disk.

adb shell "cat /proc/<pid>/maps | grep frida"
adb shell "file /data/app/..../lib/arm64/libfrida-gadget.so"

• Crash-tamper probe: Intentionally trigger an exception (e.g., NPE) and observe whether the process dies normally; hosts that intercept lifecycle/crash paths may swallow or rewrite crashes.

Sertleştirme notları

• Server-side attestation: Enforce sensitive operations behind Play Integrity tokens so only genuine installs (not dynamically loaded guests) are accepted server-side.
• Use stronger isolation: For highly sensitive code, prefer Android Virtualization Framework (AVF)/TEE-backed execution instead of app-level containers that share a UID.

References

• Android Application-Level Virtualization (App Cloning) — How It Works, Abuse, and Detection

Tip

AWS Hacking’i öğrenin ve pratik yapın:HackTricks Training AWS Red Team Expert (ARTE)
GCP Hacking’i öğrenin ve pratik yapın: HackTricks Training GCP Red Team Expert (GRTE) Azure Hacking’i öğrenin ve pratik yapın: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks'i Destekleyin

• abonelik planlarını kontrol edin!
• 💬 Discord grubuna veya telegram grubuna katılın ya da Twitter’da bizi takip edin 🐦 @hacktricks_live.**
• Hacking ipuçlarını paylaşmak için HackTricks ve HackTricks Cloud github reposuna PR gönderin.