Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.[1] There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).[2]
Through virtualization solutions, adversaries may execute malicious operations without user knowledge. For example, adversaries may mimic a legitimate banking application’s functionalities in a virtual environment, thanks to the virtualization solution, while malicious code captures credentials.
| ID | Name | Description |
|---|---|---|
| S1208 | FjordPhantom |
FjordPhantom uses a virtualization solution to steal credentials.[3] |
| S1231 | GodFather |
GodFather has used virtualization to create a separate virtual environment that mimicked legitimate banking and cryptocurrency applications.[4] |
| ID | Mitigation | Description |
|---|---|---|
| M1011 | User Guidance |
Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious applications. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0606 | Detection of Virtualization Solution | AN1656 |
The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. |