Skip to content

T1633.001 System Checks

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads.

Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.

Hardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.

Item Value
ID T1633.001
Sub-techniques T1633.001
Tactics TA0030
Platforms Android, iOS
Version 1.1
Created 30 March 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can check device system properties to potentially avoid running while under analysis.5
S0525 Android/AdDisplay.Ashas Android/AdDisplay.Ashas can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.8
S0422 Anubis Anubis has used motion sensor data to attempt to determine if it is running in an emulator.12
S0480 Cerberus Cerberus avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.4
S0301 Dendroid Dendroid can detect if it is being ran on an emulator.7
S0509 FakeSpy FakeSpy can detect if it is running in an emulator and adjust its behavior accordingly.11
S0423 Ginp Ginp can determine if it is running in an emulator.6
S0544 HenBox HenBox can detect if the app is running on an emulator.9
S0485 Mandrake Mandrake can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.3
S0411 Rotexy Rotexy checks if it is running in an analysis environment.1
S0545 TERRACOTTA TERRACOTTA checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings2.
S0427 TrickMo TrickMo can detect if it is running on a rooted device or an emulator.10
G0112 Windshift Windshift has deployed anti-analysis capabilities during their Operation BULL campaign.14
S0489 WolfRAT WolfRAT can perform primitive emulation checks.13

Detection

ID Data Source Data Component
DS0041 Application Vetting API Calls

References

  1. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. 

  2. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020. 

  3. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. 

  4. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. 

  5. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  6. ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020. 

  7. Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016. 

  8. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020. 

  9. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019. 

  10. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020. 

  11. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020. 

  12. K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021. 

  13. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back… . Retrieved July 20, 2020. 

  14. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.