Bypassing Android Anti-emulation Link
:
// Hook Build properties var Build = Java.use("android.os.Build"); Build.FINGERPRINT.value = "google/angler/angler:6.0.1/MTC20F/12345:user/release-keys"; Build.MANUFACTURER.value = "Huawei"; Build.MODEL.value = "Nexus 6P"; // Hook getprop var SystemProperties = Java.use("android.os.SystemProperties"); SystemProperties.get.overload('java.lang.String').implementation = function(key) ;
1. Introduction Modern Android malware and protected applications often employ anti-emulation checks. These checks detect if the app is running on a virtualized environment (emulator) rather than a physical device. If an emulator is detected, the app may crash, display fake data, refuse to execute core logic, or even uninstall itself. Bypassing Android Anti-Emulation
| Category | Technique | Example Check | |----------|-----------|----------------| | | ro.kernel.qemu | getprop("ro.kernel.qemu") == "1" | | Filesystem | Presence of emulator-specific files | /system/bin/qemu-props , /dev/qemu_pipe | | Hardware | Fake or generic hardware IDs | Build.MANUFACTURER = "unknown" | | Network | Emulator default IPs | 10.0.2.15 , 10.0.2.2 | | Sensors | Missing or static sensors | No accelerometer, fake battery info | | Telephony | Missing SIM, dummy IMEI | TelephonyManager.getDeviceId() returns "000000000000000" | | Performance | Unnatural timing | Too fast execution (no real user interaction) | 3. Bypass Strategies We will classify bypass methods into static (modifying the app or environment before execution) and dynamic (intercepting checks at runtime). 3.1 Static Bypass – Patching the APK Remove or NOP-out anti-emulation checks directly from the bytecode.
For security analysts, bypassing these checks is critical to perform dynamic analysis, network inspection, and runtime manipulation. Attackers use multiple indicators to fingerprint an emulator: : // Hook Build properties var Build = Java
:
:
: apktool , jadx , dex2jar , Bytecode Viewer
// Hide Frida threads from /proc/self/task var Thread = Java.use("java.lang.Thread"); Thread.getStackTrace.implementation = function() var stack = this.getStackTrace(); // Filter out Frida-related frames return stack.filter(frame => !frame.getClassName().includes("frida")); ; | Tool | Purpose | |------|---------| | Objection | Runtime exploration + built-in anti-emulation bypass ( android root disable , android simulate commands) | | Android Emulator Detector (AED) | Test your emulator against known checks | | Sandbox Scout | Checks if environment is a sandbox/emulator | | VirtualXposed | Run modules without modifying system | If an emulator is detected, the app may
// Hook TelephonyManager var TelephonyManager = Java.use("android.telephony.TelephonyManager"); TelephonyManager.getDeviceId.implementation = function() return "354554091234567"; // valid IMEI ; TelephonyManager.getSimOperatorName.implementation = function() return "T-Mobile"; ;