Android malware uses accelerometer readings to figure out if it was running on a real phone or in emulation

Originally published at: https://boingboing.net/2019/01/18/head-in-a-jar-vs-bluepill.html

1 Like

Legitimate apps have been known to do this too. Wechat can sometimes require that the user shake their phone as part of the registration process to make sure people aren’t running it in an emulator.

Some apps will look closely at the NMEA messages coming out of the location service and check for GSV (Space Vehicle–the list of satellites the phone currently sees along with signal strengths) messages. Emulators will often only emulate the GLL (location) messages or will spit out obviously bogus GSV messages. Or they will try to compare the GPS coordinates with the cell towers/Wifi Hotspots they see nearby to make sure they are in the same general area. The lesson being that if you want to emulate a phone you need to be very careful to not give the game away.

Also, Android vs. iOS makes a big difference. iOS locks apps down a lot more so they can’t double check you, but at the same time the emulator options are far more limited.

4 Likes

Shake shake shake /
Shake shake shake /
Shake while booting, shake while booting …

9 Likes

If only all those nerds who think we’re already inside the Matrix could find a way to access their accelerometers, such as sports.

2 Likes

This is also essentially the same tactic that VW used for bypassing the emissions tests - software would recognize that the car was on a test rig (e.g. not moving) and modify the behavior to reduce emissions output. It wasn’t accelerometer-based, but something similar.

9 Likes

(VW diesel-gate)

1 Like

The method the magazine used to engage cheat mode while driving required making assumptions about the ECU’s operations. Because disabling electronic stability control is a necessary step for running a car on a dynamometer, the magazine assumed that this would put the car in cheat mode.[14] In order to keep the electronic stability control from reactivating while driving, they disconnected the cars’ rear wheel speed sensors, simulating the inputs the ECU receives while the car is on a stationary test rig, even though it was being driven on the road.[14] Besides front and rear wheel speeds, the EPA had said that steering wheel movement, barometric pressure and duration of engine operation were factors in triggering cheat mode.[15]

5 Likes

And then there’s ISP script host injection that geotags, or just ad networks that manage to get a hold of similar information, and it’s past matching real-time precession of GPS/GLONASS/etc. location accuracy.

Or so I’d like to have agency in order to reward El Reg for including even Outbrain ads, but never Outbrain, and to reiterate to ISPs that I am always a newly minted Masters in CS.

There’s nothing preventing them from doing it, it’s just extra work that no one will do unless their app uses it and they want to test thoroughly. It’s the same with GPS, no one is going to fake it unless their app uses GPS a lot and they have to test various conditions. Or they’re cheating at Pokemon Go.

Same level of difficulty as fooling a captcha screen with fake mouse movement.

This topic was automatically closed after 5 days. New replies are no longer allowed.