DET0616: Detection of Virtualization/Sandbox Evasion
DET0616 is a mobile ATT&CK detection strategy for identifying behavior associated with Virtualization/Sandbox Evasion. Its business significance is that mo...
Analyst context for executives and security teams
DET0616 is a mobile ATT&CK detection strategy for identifying behavior associated with Virtualization/Sandbox Evasion. Its business significance is that mobile malware may behave differently when it realizes it is being analyzed, which can cause sandbox-only testing, app vetting, or incident triage to miss the payload’s real behavior. For leaders, this is a reminder that mobile threat analysis should not rely on a single automated sandbox result as proof of safety.
Executive priority
Prioritize this where Android or iOS devices, mobile applications, or mobile malware analysis are material to business operations, executive communications, regulated data access, or incident response. The key decision question is whether the organization can produce credible evidence that mobile app or malware analysis environments are resistant to basic evasion, and whether suspicious mobile samples are escalated for deeper review when sandbox results are inconclusive.
Technical view
This detection strategy is linked to ATT&CK mobile technique T1633, Virtualization/Sandbox Evasion, for Android and iOS. SOC, detection engineering, and IR teams should validate whether mobile analysis workflows look for attempts to identify virtual machines, emulators, sandboxes, or other analysis artifacts, and whether detections account for samples that disengage, delay, or suppress core behavior when analysis conditions are detected. Because the supplied ATT&CK object does not include an official detection description, teams should ground implementation in local mobile telemetry, sandbox logs, emulator instrumentation, app behavior traces, and manual analysis outcomes.
Likely telemetry
- Mobile sandbox or dynamic analysis logs
- Emulator or virtual device environment indicators observed during app execution
- Mobile application runtime behavior traces
- System, API, or permission access telemetry from Android or iOS analysis environments
- Network activity generated during mobile app analysis
Detection direction
- Validate that mobile malware/app analysis does not treat a clean or quiet sandbox run as sufficient evidence of benign behavior when other risk signals exist.
- Look for behavior changes tied to suspected analysis environments, such as disengagement, concealment of core payload functions, or withholding additional payload activity after environment checks.
- Compare behavior across multiple analysis conditions where feasible, especially for samples that appear inert in a sandbox but remain suspicious by source, permissions, packaging, or other triage context.
- Tune detections to reduce false positives from legitimate apps that check device model, OS version, emulator status, or testing frameworks for compatibility or anti-fraud reasons.
- Use the relationship to T1633 as context: the detection objective is not just finding a sandbox check, but identifying evasion that can undermine mobile analysis confidence.
Mitigation priorities
- Do not rely solely on one automated mobile sandbox verdict for high-risk apps or suspicious mobile samples.
- Maintain mobile analysis environments that can vary device characteristics and reduce obvious analysis artifacts where appropriate.
- Require escalation paths for suspicious samples that behave inertly or inconsistently during dynamic analysis.
- Preserve analysis logs and analyst rationale as compliance and incident-response evidence when mobile threats are investigated.
- Align mobile detection engineering, incident response, and threat intelligence workflows so evasive behavior is treated as a risk signal rather than an analysis failure alone.
Analyst notes and limits
The supplied ATT&CK detection strategy has no official description, detection text, tactics, or platforms of its own. The practical guidance here is derived from the official external reference and the stated relationship that DET0616 detects mobile technique T1633, Virtualization/Sandbox Evasion, whose related platforms are Android and iOS.
This take does not assert current exploitation, specific adversary use, specific detection logic, or guaranteed coverage. Local telemetry, sandbox capabilities, mobile device management visibility, and analyst workflow determine whether the organization can actually detect this behavior.
Detection of Virtualization/Sandbox Evasion
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1633 | Virtualization/Sandbox Evasion | This object detects Virtualization/Sandbox Evasion. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0b37317d2893… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0616Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.