HackTricks-wiki · carlospolop · Feb 18, 2026
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -359,6 +359,7 @@
   - [Abusing Android Media Pipelines Image Parsers](mobile-pentesting/android-app-pentesting/abusing-android-media-pipelines-image-parsers.md)
   - [Accessibility Services Abuse](mobile-pentesting/android-app-pentesting/accessibility-services-abuse.md)
   - [Android Anti Instrumentation And Ssl Pinning Bypass](mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md)
+  - [Android Application Level Virtualization](mobile-pentesting/android-app-pentesting/android-application-level-virtualization.md)
   - [Android Applications Basics](mobile-pentesting/android-app-pentesting/android-applications-basics.md)
   - [Android Enterprise Work Profile Bypass](mobile-pentesting/android-app-pentesting/android-enterprise-work-profile-bypass.md)
   - [Android Hce Nfc Emv Relay Attacks](mobile-pentesting/android-app-pentesting/android-hce-nfc-emv-relay-attacks.md)

diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md
@@ -27,6 +27,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde
 
 - [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
 - [Play Integrity attestation spoofing (SafetyNet replacement)](play-integrity-attestation-bypass.md)
+- [Android app-level virtualization / app cloning abuse & detection](android-application-level-virtualization.md)
 - [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
 - [Exploiting Insecure In-App Update Mechanisms](insecure-in-app-update-rce.md)
 - [Abusing Accessibility Services (Android RAT)](accessibility-services-abuse.md)

diff --git a/...e-pentesting/android-app-pentesting/android-application-level-virtualization.md b/...e-pentesting/android-app-pentesting/android-application-level-virtualization.md
@@ -0,0 +1,44 @@
+# Android Application-Level Virtualization (App Cloning)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Application-level virtualization (aka app cloning/container frameworks such as DroidPlugin-class loaders) runs multiple APKs inside a single host app that controls lifecycle, class loading, storage, and permissions. Guests often execute inside the host UID, collapsing Android’s normal per-app isolation and making detection difficult because the system sees one process/UID.
+
+## Baseline install/launch vs virtualized execution
+
+- **Normal install**: Package Manager extracts APK → `/data/app/<rand>/com.pkg-<rand>/base.apk`, assigns a **unique UID**, and Zygote forks a process that loads `classes.dex`.
+- **Dex load primitive**: `DexFile.openDexFile()` delegates to `openDexFileNative()` using absolute paths; virtualization layers commonly hook/redirect this to load guest dex from host-controlled paths.
+- **Virtualized launch**: Host starts a process under **its UID**, loads the guest’s `base.apk`/dex with a custom loader, and exposes lifecycle callbacks via Java proxies. Guest storage API calls are remapped to host-controlled paths.
+
+## Abuse patterns
+
+- **Permission escalation via shared UID**: Guests run under the host UID and can inherit **all host-granted permissions** even if not declared in the guest manifest. Over-permissioned hosts (massive `AndroidManifest.xml`) become “permission umbrellas”.
+- **Stealthy code loading**: Host hooks `openDexFileNative`/class loaders to inject, replace, or instrument guest dex at runtime, bypassing static analysis.
+- **Malicious host vs malicious guest**:
+  - *Evil host*: acts as dropper/executor, instruments/filters guest behavior, tampers with crashes.
+  - *Evil guest*: abuses shared UID to reach other guests’ data, ptrace them, or leverage host permissions.
+
+## Fingerprinting & detection
+
+- **Multiple base.apk in one process**: A container often maps several APKs in the same PID.
+  ```bash
+  adb shell "cat /proc/<pid>/maps | grep base.apk"
+  # Suspicious: host base.apk + unrelated packages mapped together
+  ```
+- **Hooking/instrumentation artifacts**: Search for known libs (e.g., Frida) in maps and confirm on disk.
+  ```bash
+  adb shell "cat /proc/<pid>/maps | grep frida"
+  adb shell "file /data/app/..../lib/arm64/libfrida-gadget.so"
+  ```
+- **Crash-tamper probe**: Intentionally trigger an exception (e.g., NPE) and observe whether the process dies normally; hosts that intercept lifecycle/crash paths may swallow or rewrite crashes.
+
+## Hardening notes
+
+- **Server-side attestation**: Enforce sensitive operations behind [Play Integrity](play-integrity-attestation-bypass.md) tokens so only genuine installs (not dynamically loaded guests) are accepted server-side.
+- **Use stronger isolation**: For highly sensitive code, prefer **Android Virtualization Framework (AVF)**/TEE-backed execution instead of app-level containers that share a UID.
+
+## References
+
+- [Android Application-Level Virtualization (App Cloning) — How It Works, Abuse, and Detection](https://blog.azzahid.com/posts/android-app-virtualization/)
+
+{{#include ../../banners/hacktricks-training.md}}