Skip to content

T1670 Virtualization Solution

Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.2 There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).1

Through virtualization solutions, adversaries may execute malicious operations without user knowledge. For example, adversaries may mimic a legitimate banking application’s functionalities in a virtual environment, thanks to the virtualization solution, while malicious code captures credentials.

Item Value
ID T1670
Sub-techniques
Tactics TA0030
Platforms Android
Version 1.0
Created 14 March 2025
Last Modified 14 March 2025

Procedure Examples

ID Name Description
S1208 FjordPhantom FjordPhantom uses a virtualization solution to steal credentials.4
S1231 GodFather GodFather has used virtualization to create a separate virtual environment that mimicked legitimate banking and cryptocurrency applications.3

Mitigations

ID Mitigation Description
M1011 User Guidance Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious applications.

References

  1. Android Open Source Project. (n.d.). Android Virtualization Framework (AVF) overview. Retrieved February 26, 2025. 

  2. Android Open Source Project. (n.d.). Application Sandbox. Retrieved February 26, 2025. 

  3. Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025. 

  4. Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.