:
1. Introduction Modern Android malware and protected applications often employ anti-emulation checks. These checks detect if the app is running on a virtualized environment (emulator) rather than a physical device. If an emulator is detected, the app may crash, display fake data, refuse to execute core logic, or even uninstall itself.
For security analysts, bypassing these checks is critical to perform dynamic analysis, network inspection, and runtime manipulation. Attackers use multiple indicators to fingerprint an emulator: Bypassing Android Anti-Emulation
return this.get(key); ;
:
:
// Hook TelephonyManager var TelephonyManager = Java.use("android.telephony.TelephonyManager"); TelephonyManager.getDeviceId.implementation = function() return "354554091234567"; // valid IMEI ; TelephonyManager.getSimOperatorName.implementation = function() return "T-Mobile"; ; If an emulator is detected, the app may
:
// Hook Build properties var Build = Java.use("android.os.Build"); Build.FINGERPRINT.value = "google/angler/angler:6.0.1/MTC20F/12345:user/release-keys"; Build.MANUFACTURER.value = "Huawei"; Build.MODEL.value = "Nexus 6P"; // Hook getprop var SystemProperties = Java.use("android.os.SystemProperties"); SystemProperties.get.overload('java.lang.String').implementation = function(key) key === "ro.boot.qemu") return "0"; If an emulator is detected
: apktool , jadx , dex2jar , Bytecode Viewer