[MASWE-0098] Consider adding Android app virtualization under the MASVS-RESILIENCE control group

[aegis-dev]

Hello! My name is Egidijus Lileika, I am a senior security researcher, and I am representing Digital.ai.

For a while, we’ve been researching Android virtualization software as a threat tool that can be utilized for dynamic analysis and application tampering. When I am talking about Android virtualization I am referring to software that can partially or fully virtualize Android system to run target applications in a controlled environment. Software like this technically bypasses the Android security model by creating a more permissive environment that other threat tools can utilize. Virtualization software usually doesn’t require a device to be rooted.

Recently, security firm Promon released a blog post about a malware family that they named FjordPhantom. This malware utilizes virtualization technology as a wrapper around real banking software. From the end-user perspective, the app looks the same as the original banking application, however, the virtualizers inject additional code that bypasses anti-tampering security measures (e.g. SafetyNet) and does other things dynamically with the intent to defraud the user.

Another popular example, GameGuardian - a tool designed for cheating in games, can be used on non-rooted devices with modified virtualizers that allow the GameGuardian to interact with the target virtualized application.

Here are some popular virtualizers that are designed or can be used with malicious intent:

https://github.com/asLody/VirtualApp

https://github.com/android-hacker/VirtualXposed

https://github.com/WaxMoon/MultiApp

https://github.com/didi/VirtualAPK

https://github.com/ManbangGroup/Phantom

Here are some links to our official blogs where we briefly talk about the Android virtualization software and the dangers associated with it (not promoting, just for more information):

https://digital.ai/catalyst-blog/intro-to-the-world-of-virtualization-part-i/

https://digital.ai/catalyst-blog/intro-to-the-world-of-virtualization-part-ii/

Also, we had a speech at Droidcon 2023 Berlin. In this talk, we are demonstrating how virtualization software can tamper applications dynamically without tampering with the APK package in any way.

https://www.youtube.com/watch?v=YbCRIEQKUCI

We, Digital.ai, propose to consider requiring applications to be resilient against Android virtualization software under MASVS-RESILIENCE-1 and/or MASVS-RESILIENCE-4 security control. If you agree with this idea, we can start working on preparing test cases that could be included in the MASTG.

[vixentael]

@aegis-dev do you have any ideas how to protect against such tools? what recommendations we should share with developers?

cc @julepka @Tachibanaff

[aegis-dev]

@vixentael There are countless environment verification checks you can do depending on what kind of virtualizer you want to detect.
Many virtualizers load target application code into its context so you technically can use reflection to check the presence of certain Java classes. You can go further by identifying and/or checksumming DEX files loaded into the memory. Then, some virtualizers mess up patching package names in all places or sometimes don't even bother patching the package name. Checking application metadata in 'ApplicationInfo' and other places, etc.
If virtualizers are used for malicious activity they usually utilise hooking frameworks and checking the presence of such hooking frameworks indirectly indicates a tampered environment.

I want to be more specific with examples, but I need to discuss it internally. However, plenty open-source projects demonstrate specific techniques. For instance these:

1. VirtualApk (and maybe more) detection - https://github.com/ZaratustraN/check-virtual-apk/blob/master/app/src/main/java/cn/zarathustra/checkvirtualapk/CheckVirtual.java
2. AppCloner detection (and probably all other repackaging based "virtualizers") - https://github.com/jeziellago/AppCloneDetector/blob/master/clonedetector/src/main/java/com/clone/detector/AppCloneDetector.kt
3. VirtualXposed can be detected as Xposed or EdXposed. One random example I found - https://github.com/Jabb0/XposedDetector/blob/master/app/src/main/java/de/jabb0/xposeddetector/MainActivity.java

[cpholguera]

Hi @aegis-dev, sorry for the late reply. I hope you'll be happy to know that we've added this as a weakness for the new MASWE, which is the bridge between MASVS and MASTG.

If you'd like to work on it, you could start by creating the weakness and then writing some tests and demos.

Should I assign it to you?

#2768

[aegis-dev]

Hi @cpholguera, great news! I'd love to work on this. Also, it would be nice if you could link me some good examples as I am not very familiar with MASWE project.

[cpholguera]

I've just invited you to the project, you should have received an email from GitHub. Once you accept, I can assign this issue to you.

You can read about the new MASWE, the latest addition to the OWASP MAS project, here:

https://mas.owasp.org/MASWE/

Go to the "About the MASWE" section. On this page you will also find all the current issues, and if you sort or filter by new, you can already read some weaknesses that you can use as a reference. We have guidelines for writing these items, but I'm currently updating them. However, the items themselves should be self-explanatory, and if not, you can always ask me.

I also recommend watching our latest talk here:

https://mas.owasp.org/talks/

[aegis-dev]

I accepted the invitation. Thank you for the links! I will let you know if I need any help 🫡