Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.[1] There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).[2]
Through virtualization solutions, adversaries may execute malicious operations without user knowledge. For example, adversaries may mimic a legitimate banking application’s functionalities in a virtual environment, thanks to the virtualization solution, while malicious code captures credentials.
| ID | Name | Description |
|---|---|---|
| S1208 | FjordPhantom |
FjordPhantom uses a virtualization solution to steal credentials.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1011 | User Guidance |
Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious applications. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0041 | Application Vetting | Permissions Requests |
Application vetting services can look for applications that request permissions to Accessibility services or application overlay. |
| DS0009 | Process | OS API Execution |
Monitor for API calls that are related to GooglePlayServices. |
| DS0042 | User Interface | Permissions Request |
The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. |