Replies: 2 comments 5 replies
-
@aegis-dev do you have any ideas how to protect against such tools? what recommendations we should share with developers? |
Beta Was this translation helpful? Give feedback.
1 reply
-
Hi @aegis-dev, sorry for the late reply. I hope you'll be happy to know that we've added this as a weakness for the new MASWE, which is the bridge between MASVS and MASTG. If you'd like to work on it, you could start by creating the weakness and then writing some tests and demos. Should I assign it to you? |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello! My name is Egidijus Lileika, I am a senior security researcher, and I am representing Digital.ai.
For a while, we’ve been researching Android virtualization software as a threat tool that can be utilized for dynamic analysis and application tampering. When I am talking about Android virtualization I am referring to software that can partially or fully virtualize Android system to run target applications in a controlled environment. Software like this technically bypasses the Android security model by creating a more permissive environment that other threat tools can utilize. Virtualization software usually doesn’t require a device to be rooted.
Recently, security firm Promon released a blog post about a malware family that they named FjordPhantom. This malware utilizes virtualization technology as a wrapper around real banking software. From the end-user perspective, the app looks the same as the original banking application, however, the virtualizers inject additional code that bypasses anti-tampering security measures (e.g. SafetyNet) and does other things dynamically with the intent to defraud the user.
Another popular example, GameGuardian - a tool designed for cheating in games, can be used on non-rooted devices with modified virtualizers that allow the GameGuardian to interact with the target virtualized application.
Here are some popular virtualizers that are designed or can be used with malicious intent:
https://github.com/asLody/VirtualApp
https://github.com/android-hacker/VirtualXposed
https://github.com/WaxMoon/MultiApp
https://github.com/didi/VirtualAPK
https://github.com/ManbangGroup/Phantom
Here are some links to our official blogs where we briefly talk about the Android virtualization software and the dangers associated with it (not promoting, just for more information):
https://digital.ai/catalyst-blog/intro-to-the-world-of-virtualization-part-i/
https://digital.ai/catalyst-blog/intro-to-the-world-of-virtualization-part-ii/
Also, we had a speech at Droidcon 2023 Berlin. In this talk, we are demonstrating how virtualization software can tamper applications dynamically without tampering with the APK package in any way.
https://www.youtube.com/watch?v=YbCRIEQKUCI
We, Digital.ai, propose to consider requiring applications to be resilient against Android virtualization software under MASVS-RESILIENCE-1 and/or MASVS-RESILIENCE-4 security control. If you agree with this idea, we can start working on preparing test cases that could be included in the MASTG.
Beta Was this translation helpful? Give feedback.
All reactions