Evade Analysis Environment

Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.[1][2][3][4] Adversaries may access android.os.SystemProperties via Java reflection to obtain specific system information.[5] Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.[6]

ID: T1523
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Defense Evasion, Discovery
Platforms: Android, iOS
Version: 1.0
Created: 02 October 2019
Last Modified: 11 October 2019

Procedure Examples

Name Description

Cerberus avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.[7]


Dendroid can detect if it is being ran on an emulator.[8]


FakeSpy can detect if it is running in an emulator and adjust its behavior accordingly.[9]


Ginp can determine if it is running in an emulator.[10]


Mandrake can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.[11]


Rotexy checks if it is running in an analysis environment.[12]


TrickMo can detect if it is running on a rooted device or an emulator.[13]


WolfRAT can perform primitive emulation checks.[14]


Mitigation Description
Application Vetting

Applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands should be closely scrutinized. Google does not recommend the use of system properties within applications.


Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.