Android Anti-emulation: Bypassing

// Hook Build properties var Build = Java.use("android.os.Build"); Build.FINGERPRINT.value = "google/angler/angler:6.0.1/MTC20F/12345:user/release-keys"; Build.MANUFACTURER.value = "Huawei"; Build.MODEL.value = "Nexus 6P"; // Hook getprop var SystemProperties = Java.use("android.os.SystemProperties"); SystemProperties.get.overload('java.lang.String').implementation = function(key) ;

:

:

: apktool , jadx , dex2jar , Bytecode Viewer

:

| Category | Technique | Example Check | |----------|-----------|----------------| | | ro.kernel.qemu | getprop("ro.kernel.qemu") == "1" | | Filesystem | Presence of emulator-specific files | /system/bin/qemu-props , /dev/qemu_pipe | | Hardware | Fake or generic hardware IDs | Build.MANUFACTURER = "unknown" | | Network | Emulator default IPs | 10.0.2.15 , 10.0.2.2 | | Sensors | Missing or static sensors | No accelerometer, fake battery info | | Telephony | Missing SIM, dummy IMEI | TelephonyManager.getDeviceId() returns "000000000000000" | | Performance | Unnatural timing | Too fast execution (no real user interaction) | 3. Bypass Strategies We will classify bypass methods into static (modifying the app or environment before execution) and dynamic (intercepting checks at runtime). 3.1 Static Bypass – Patching the APK Remove or NOP-out anti-emulation checks directly from the bytecode.

:

// Hook TelephonyManager var TelephonyManager = Java.use("android.telephony.TelephonyManager"); TelephonyManager.getDeviceId.implementation = function() return "354554091234567"; // valid IMEI ; TelephonyManager.getSimOperatorName.implementation = function() return "T-Mobile"; ;

For security analysts, bypassing these checks is critical to perform dynamic analysis, network inspection, and runtime manipulation. Attackers use multiple indicators to fingerprint an emulator: Bypassing Android Anti-Emulation

1. Introduction Modern Android malware and protected applications often employ anti-emulation checks. These checks detect if the app is running on a virtualized environment (emulator) rather than a physical device. If an emulator is detected, the app may crash, display fake data, refuse to execute core logic, or even uninstall itself.