T1633: Virtualization/Sandbox Evasion
Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment.
Analyst context for executives and security teams
Virtualization/Sandbox Evasion matters because mobile malware can behave differently when it thinks it is being analyzed. For executives and security leaders, the risk is not just the evasion itself; it is the possibility that mobile app vetting, sandbox detonation, or incident triage produces a falsely reassuring result because the payload concealed its core behavior in an analysis environment.
Executive priority
Prioritize this as a validation issue for mobile security assurance and incident readiness. Leaders should ask whether Android and iOS malware analysis workflows account for sandbox-aware behavior, whether mobile app risk decisions rely too heavily on automated analysis alone, and whether SOC/IR teams can escalate suspicious mobile samples even when sandbox output is inconclusive. The technique is especially relevant where mobile devices affect identity access, executive communications, regulated data handling, or operational continuity.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around mobile applications that check for virtualized, emulated, sandbox, or analysis artifacts and then alter execution. ATT&CK provides a related detection strategy, DET0616, and identifies System Checks as sub-technique T1633.001 across Android and iOS. Relationship context also shows Android malware examples using this behavior, including AbstractEmu and SpyC23, so Android analysis pipelines should be specifically reviewed. Because the official detection field is not provided, local telemetry and analysis-method evidence are required to define reliable detections.
Likely telemetry
- Mobile application dynamic analysis logs from sandbox or emulator runs
- Static analysis indicators showing checks for system, emulator, virtualization, or analysis artifacts
- Mobile EDR or device security telemetry for suspicious app behavior before and after environment checks
- Application runtime logs or instrumentation traces where available
- Mobile app installation source, package metadata, permissions, and execution context
Detection direction
- Validate DET0616-aligned logic against mobile samples that perform virtualization, sandbox, or system-artifact checks.
- Test whether automated analysis environments reveal enough realistic user activity and device characteristics to prevent simple analysis-environment detection from suppressing behavior.
- Compare static findings with dynamic behavior; a sample that contains environment-checking logic but appears inert in a sandbox should not be automatically treated as benign.
- Tune for false positives because legitimate apps may inspect device properties or environment state for compatibility, testing, anti-fraud, or licensing reasons.
- Use relationship context from T1633.001 System Checks to focus detection engineering on checks that precede behavior changes, payload staging, disengagement, or concealment.
Mitigation priorities
- Do not rely solely on one automated mobile sandbox result for high-risk apps or incidents.
- Use layered mobile analysis: static inspection, dynamic execution, behavioral comparison, and where appropriate controlled testing on representative physical devices.
- Strengthen mobile app intake, vetting, and incident escalation criteria so evasive or inconclusive behavior triggers review rather than dismissal.
- Ensure mobile security controls and IR playbooks preserve evidence needed to compare sandbox, emulator, and real-device behavior.
- Prioritize identity and access safeguards for mobile endpoints that handle sensitive accounts or communications, because evasive mobile malware can undermine confidence in analysis results.
Analyst notes and limits
ATT&CK does not specify tactics for this object and does not provide official detection text. The strongest relationship-driven context is the DET0616 detection strategy, the T1633.001 System Checks sub-technique, and Android software relationships for AbstractEmu and SpyC23. Treat this as a coverage-validation and analysis-assurance issue rather than a standalone indicator of compromise.
This take is based only on the supplied ATT&CK STIX fields, external reference, and relationships. It does not establish active exploitation, current campaign activity, customer exposure, or guaranteed detection. Local device mix, mobile telemetry, sandbox design, app sources, and incident evidence are required to determine actual risk and coverage.
Virtualization/Sandbox Evasion
Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1633.001 | System Checks Sub-technique | System Checks subtechnique of this object. |
Groups, software, and campaigns
S1061: AbstractEmu
AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]
S1195: SpyC23
SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]
There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8075e04b4d88… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1633Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.