Android Application-Level Virtualization (App Cloning)

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Application-level virtualization (aka app cloning/container frameworks such as DroidPlugin-class loaders) runs multiple APKs inside a single host app that controls lifecycle, class loading, storage, and permissions. Guests often execute inside the host UID, collapsing Android’s normal per-app isolation and making detection difficult because the system sees one process/UID.

Baseline install/launch vs virtualized execution

  • Normal install: Package Manager extracts APK → /data/app/<rand>/com.pkg-<rand>/base.apk, assigns a unique UID, and Zygote forks a process that loads classes.dex.
  • Dex load primitive: DexFile.openDexFile() delegates to openDexFileNative() using absolute paths; virtualization layers commonly hook/redirect this to load guest dex from host-controlled paths.
  • Virtualized launch: Host starts a process under its UID, loads the guest’s base.apk/dex with a custom loader, and exposes lifecycle callbacks via Java proxies. Guest storage API calls are remapped to host-controlled paths.

Abuse patterns

  • Permission escalation via shared UID: Guests run under the host UID and can inherit all host-granted permissions even if not declared in the guest manifest. Over-permissioned hosts (massive AndroidManifest.xml) become “permission umbrellas”.
  • Stealthy code loading: Host hooks openDexFileNative/class loaders to inject, replace, or instrument guest dex at runtime, bypassing static analysis.
  • Malicious host vs malicious guest:
    • Evil host: acts as dropper/executor, instruments/filters guest behavior, tampers with crashes.
    • Evil guest: abuses shared UID to reach other guests’ data, ptrace them, or leverage host permissions.

Fingerprinting & detection

  • Multiple base.apk in one process: A container often maps several APKs in the same PID. 
    adb shell "cat /proc/<pid>/maps | grep base.apk"
# Suspicious: host base.apk + unrelated packages mapped together
  • Hooking/instrumentation artifacts: Search for known libs (e.g., Frida) in maps and confirm on disk. 
    adb shell "cat /proc/<pid>/maps | grep frida"
adb shell "file /data/app/..../lib/arm64/libfrida-gadget.so"
  • Crash-tamper probe: Intentionally trigger an exception (e.g., NPE) and observe whether the process dies normally; hosts that intercept lifecycle/crash paths may swallow or rewrite crashes.

Hardening notes

  • Server-side attestation: Enforce sensitive operations behind Play Integrity tokens so only genuine installs (not dynamically loaded guests) are accepted server-side.
  • Use stronger isolation: For highly sensitive code, prefer Android Virtualization Framework (AVF)/TEE-backed execution instead of app-level containers that share a UID.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks