From 099a489902cbc47383d78c58f7ebe40c7168e87e Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 18 Feb 2026 13:04:28 +0000 Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20Android=20Application-L?= =?UTF-8?q?evel=20Virtualization=20(App=20Cloning)=20=E2=80=94=20How...?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/SUMMARY.md | 1 + .../android-app-pentesting/README.md | 1 + ...ndroid-application-level-virtualization.md | 44 +++++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 src/mobile-pentesting/android-app-pentesting/android-application-level-virtualization.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 039bbb66cf2..d85e3a7dd51 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -359,6 +359,7 @@ - [Abusing Android Media Pipelines Image Parsers](mobile-pentesting/android-app-pentesting/abusing-android-media-pipelines-image-parsers.md) - [Accessibility Services Abuse](mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md) - [Android Anti Instrumentation And Ssl Pinning Bypass](mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md) + - [Android Application Level Virtualization](mobile-pentesting/android-app-pentesting/android-application-level-virtualization.md) - [Android Applications Basics](mobile-pentesting/android-app-pentesting/android-applications-basics.md) - [Android Enterprise Work Profile Bypass](mobile-pentesting/android-app-pentesting/android-enterprise-work-profile-bypass.md) - [Android Hce Nfc Emv Relay Attacks](mobile-pentesting/android-app-pentesting/android-hce-nfc-emv-relay-attacks.md) diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index d9e9964e7d8..f0ef7a7480b 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -27,6 +27,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde - [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md) - [Play Integrity attestation spoofing (SafetyNet replacement)](play-integrity-attestation-bypass.md) +- [Android app-level virtualization / app cloning abuse & detection](android-application-level-virtualization.md) - [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md) - [Exploiting Insecure In-App Update Mechanisms](insecure-in-app-update-rce.md) - [Abusing Accessibility Services (Android RAT)](accessibility-services-abuse.md) diff --git a/src/mobile-pentesting/android-app-pentesting/android-application-level-virtualization.md b/src/mobile-pentesting/android-app-pentesting/android-application-level-virtualization.md new file mode 100644 index 00000000000..8da35259df1 --- /dev/null +++ b/src/mobile-pentesting/android-app-pentesting/android-application-level-virtualization.md @@ -0,0 +1,44 @@ +# Android Application-Level Virtualization (App Cloning) + +{{#include ../../banners/hacktricks-training.md}} + +Application-level virtualization (aka app cloning/container frameworks such as DroidPlugin-class loaders) runs multiple APKs inside a single host app that controls lifecycle, class loading, storage, and permissions. Guests often execute inside the host UID, collapsing Android’s normal per-app isolation and making detection difficult because the system sees one process/UID. + +## Baseline install/launch vs virtualized execution + +- **Normal install**: Package Manager extracts APK → `/data/app//com.pkg-/base.apk`, assigns a **unique UID**, and Zygote forks a process that loads `classes.dex`. +- **Dex load primitive**: `DexFile.openDexFile()` delegates to `openDexFileNative()` using absolute paths; virtualization layers commonly hook/redirect this to load guest dex from host-controlled paths. +- **Virtualized launch**: Host starts a process under **its UID**, loads the guest’s `base.apk`/dex with a custom loader, and exposes lifecycle callbacks via Java proxies. Guest storage API calls are remapped to host-controlled paths. + +## Abuse patterns + +- **Permission escalation via shared UID**: Guests run under the host UID and can inherit **all host-granted permissions** even if not declared in the guest manifest. Over-permissioned hosts (massive `AndroidManifest.xml`) become “permission umbrellas”. +- **Stealthy code loading**: Host hooks `openDexFileNative`/class loaders to inject, replace, or instrument guest dex at runtime, bypassing static analysis. +- **Malicious host vs malicious guest**: + - *Evil host*: acts as dropper/executor, instruments/filters guest behavior, tampers with crashes. + - *Evil guest*: abuses shared UID to reach other guests’ data, ptrace them, or leverage host permissions. + +## Fingerprinting & detection + +- **Multiple base.apk in one process**: A container often maps several APKs in the same PID. + ```bash + adb shell "cat /proc//maps | grep base.apk" + # Suspicious: host base.apk + unrelated packages mapped together + ``` +- **Hooking/instrumentation artifacts**: Search for known libs (e.g., Frida) in maps and confirm on disk. + ```bash + adb shell "cat /proc//maps | grep frida" + adb shell "file /data/app/..../lib/arm64/libfrida-gadget.so" + ``` +- **Crash-tamper probe**: Intentionally trigger an exception (e.g., NPE) and observe whether the process dies normally; hosts that intercept lifecycle/crash paths may swallow or rewrite crashes. + +## Hardening notes + +- **Server-side attestation**: Enforce sensitive operations behind [Play Integrity](play-integrity-attestation-bypass.md) tokens so only genuine installs (not dynamically loaded guests) are accepted server-side. +- **Use stronger isolation**: For highly sensitive code, prefer **Android Virtualization Framework (AVF)**/TEE-backed execution instead of app-level containers that share a UID. + +## References + +- [Android Application-Level Virtualization (App Cloning) — How It Works, Abuse, and Detection](https://blog.azzahid.com/posts/android-app-virtualization/) + +{{#include ../../banners/hacktricks-training.md}}