Skip to content
Platform
android
MASVS v1 MSTG-RESILIENCE-5
MASVS v2 MASVS-RESILIENCE-1
Last updated: May 08, 2023

Testing Emulator Detection

Bypassing Emulator Detection

  1. Patch the emulator detection functionality. Disable the unwanted behavior by simply overwriting the associated bytecode or native code with NOP instructions.
  2. Use Frida or Xposed APIs to hook file system APIs on the Java and native layers. Return innocent-looking values (preferably taken from a real device) instead of the telltale emulator values. For example, you can override the TelephonyManager.getDeviceID method to return an IMEI value.

Refer to the "Tampering and Reverse Engineering on Android" chapter for examples of patching, code injection, and kernel modules.

Effectiveness Assessment

Install and run the app in the emulator. The app should detect that it is being executed in an emulator and terminate or refuse to execute the functionality that's meant to be protected.

Work on bypassing the defenses and answer the following questions:

  • How difficult is identifying the emulator detection code via static and dynamic analysis?
  • Can the detection mechanisms be bypassed trivially (e.g., by hooking a single API function)?
  • Did you need to write custom code to disable the anti-emulation feature(s)? How much time did you need?
  • What is your assessment of the difficulty of bypassing the mechanisms?