Android Application-Level Virtualization (App Cloning)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Application-level virtualization (aka app cloning/container frameworks such as DroidPlugin-class loaders) huendesha APK nyingi ndani ya host app moja ambayo inadhibiti lifecycle, class loading, storage, na permissions. Apps za mgeni mara nyingi zinaendesha ndani ya host UID, zikivuruga isolation ya kawaida ya kila-app ya Android na kufanya utambuzi kuwa mgumu kwa sababu mfumo unaona process/UID mmoja.

Baseline install/launch vs virtualized execution

  • Normal install: Package Manager extracts APK → /data/app/<rand>/com.pkg-<rand>/base.apk, assigns a unique UID, and Zygote forks a process that loads classes.dex.
  • Dex load primitive: DexFile.openDexFile() delegates to openDexFileNative() using absolute paths; virtualization layers commonly hook/redirect this to load guest dex from host-controlled paths.
  • Virtualized launch: Host starts a process under its UID, loads the guest’s base.apk/dex with a custom loader, and exposes lifecycle callbacks via Java proxies. Guest storage API calls are remapped to host-controlled paths.

Abuse patterns

  • Permission escalation via shared UID: Apps za mgeni zinaendesha chini ya host UID na zinaweza kurithi all host-granted permissions hata kama hazikitajwi katika manifest ya mgeni. Over-permissioned hosts (massive AndroidManifest.xml) zinageuka kuwa “permission umbrellas”.
  • Stealthy code loading: Host huhook openDexFileNative/class loaders ili kuingiza, kubadilisha, au ku-instrument guest dex wakati wa runtime, ikiepuka static analysis.
  • Malicious host vs malicious guest:
  • Evil host: hufanya kama dropper/executor, hu-instrument/hu-filter tabia ya guest, huharibu crashes.
  • Evil guest: hutumia shared UID kufikia data za wageni wengine, ku-ptrace wao, au kutumia host permissions.

Fingerprinting & detection

  • Multiple base.apk in one process: Container mara nyingi humpanga APK kadhaa kwenye PID moja.
adb shell "cat /proc/<pid>/maps | grep base.apk"
# Suspicious: host base.apk + unrelated packages mapped together
  • Hooking/instrumentation artifacts: Tafuta libs zinazojulikana (mfano Frida) katika maps na thibitisha kwenye disk.
adb shell "cat /proc/<pid>/maps | grep frida"
adb shell "file /data/app/..../lib/arm64/libfrida-gadget.so"
  • Crash-tamper probe: Sababisha makosa kwa kukusudia (mf. NPE) na angalia ikiwa process inakufa kawaida; hosts zinazokata lifecycle/crash paths zinaweza kunyonya au kuandika upya crashes.

Hardening notes

  • Server-side attestation: Enforce sensitive operations behind Play Integrity tokens ili installs halisi tu (sio dynamically loaded guests) zikubaliwe upande wa server.
  • Use stronger isolation: Kwa code yenye ulinzi mkubwa, pendelea Android Virtualization Framework (AVF)/utekelezaji unaotegemea TEE badala ya app-level containers zinazoshiriki UID.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks