Emulator Detection

Detecting that an app is running on an emulator is a key RASP feature. An emulator is software primarily used for development purposes and it allows Android apps to run on a computer. Android apps are typically not meant to be run on emulators by their users. Such behavior can therefore be a sign of a possible attack or reverse engineering attempt.

Malwarelytics for Android is able to detect that the app is running on an emulator and can be configured to terminate the app in this case.

Configuration

This feature can be configured during the Malwarelytics initialization phase:

val raspConfig = RaspConfig.Builder()
    .emulator(DetectionConfig)
    // configuration of other RASP features
    .build()

Available values of DetectionConfig:

Value Description
NoAction indicates that emulators will not be automatically detected. A manual check is still possible.
Notify indicates that emulators will be automatically detected and observers will be notified.
Exit(
exitUrl:String?)
indicates that emulators will be automatically detected and the app will be terminated when an emulator is automatically detected.

Emulator detection defaults to DetectionConfig.Notify.

List of available parameters for some config values:

Parameter Description
exitUrl:String? defines the URL to be opened when the app is terminated because of the automatic detection. Defaults to null.

Usage

After initialization, the emulator detection feature can be accessed via RaspManager. This can be used to register an observer or to trigger a manual emulator detection check.

Registering an Observer

Emulator detection can trigger a certain action. To achieve that, an observer needs to be configured and registered.

Observer configuration:

val raspObserver = object : RaspObserver {
     override fun onEmulatorDetected(emulatorDetection: EmulatorDetection) {
        // handle emulator detection
    }
    // handle detection of other RASP features
}

The observer can be registered in RaspManager. When it is no longer needed, it can be unregistered again.

raspManager.registerRaspObserver(raspObserver)
raspManager.unregisterRaspObserver(raspObserver)

Triggering a Manual Check

Emulator detection check can be triggered manually in RaspManager. Two methods are available – isDeviceEmulator() gives a simple boolean answer, whereas getEmulatorDetection() provides more details.

val emulatorDetection = raspManager.getEmulatorDetection()
val isDeviceEmulator = raspManager.isDeviceEmulator()

More information on general RASP feature configuration and usage can be found in this overview.

Last updated on Nov 21, 2023 (12:06) View product
Search

1.2.x

Malwarelytics for Android