T1633.001: System Checks
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads.
Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.
Hardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.
Analyst context for executives and security teams
System Checks is mobile malware behavior where an app looks for signs it is running in an emulator, sandbox, or analysis environment before revealing its real functionality. For leaders, the practical issue is assurance: automated mobile app vetting can miss malicious behavior if the test environment looks unrealistic.
Executive priority
Prioritize this where Android or iOS devices support sensitive workflows, identity access, banking/payment activity, executive communications, or field operations. The business question is whether mobile security controls can evaluate suspicious apps in realistic conditions and produce evidence for incident response, audit, and risk decisions—not just whether an app was scanned once.
Technical view
ATT&CK lists Android and iOS platforms and no specific tactic or official detection text. Validate coverage against the related detection strategy DET0625 and the parent technique Virtualization/Sandbox Evasion. SOC and IR teams should look for apps that query environment indicators such as host or domain properties, network traffic patterns, network adapter addresses, CPU core count, memory or storage size, and sensor readings such as motion data, especially when those checks appear to gate payload delivery or change app behavior. Relationship context shows this behavior is documented across multiple Android malware entries, including banking trojans, RATs, spyware, adware, and related mobile threats, so Android telemetry depth is especially important.
Likely telemetry
- Mobile threat defense or mobile EDR alerts and behavioral traces
- MDM/UEM app inventory, install source, device posture, and compliance state
- Mobile sandbox or dynamic analysis logs showing system property, hardware, network, and sensor queries
- Static analysis results for emulator, sandbox, hardware, sensor, and environment-checking code paths
- Network telemetry from mobile devices or analysis environments
Detection direction
- Confirm that mobile analysis environments expose realistic device properties, storage, memory, network, and sensor activity; weak sandboxes may cause malware to hide.
- Tune detections for suspicious combinations of system, hardware, network, and sensor checks followed by behavioral changes, rather than treating every hardware query as malicious.
- Account for false positives: legitimate apps may check CPU, memory, storage, network state, or sensors for performance and feature support.
- Compare behavior between sandbox/emulator and real-device analysis where legally and operationally appropriate.
- Use ATT&CK relationship context to test against known mobile malware patterns, while avoiding assumptions that any single check proves compromise.
Mitigation priorities
- Strengthen mobile app vetting with dynamic analysis that simulates realistic devices, networks, and sensor activity.
- Use MDM/UEM policy to limit untrusted app sources and maintain app inventory and device compliance evidence.
- Prioritize mobile threat monitoring for devices handling sensitive identity, financial, executive, or operational workflows.
- In incident response, preserve app samples, device context, install source, permissions, network activity, and analysis-environment results for repeatable evidence.
- Review mobile security testing procedures so sandbox-evasion findings drive escalation rather than a simple pass/fail result.
Analyst notes and limits
This object is a sub-technique of T1633 Virtualization/Sandbox Evasion and supersedes revoked technique T1523. The supplied relationships include one detection strategy, one group, and multiple software entries, mostly Android, that use this behavior. That supports treating it as a material mobile analysis and detection-resilience concern, not as proof of current activity in any environment.
MITRE provides no official detection text and no tactic value for this object. Local conclusions require organization-specific mobile telemetry, app inventory, sandbox design, and device-use context. The supplied fields support Android and iOS platform relevance, but most named software relationships provided are Android-focused.
System Checks
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads.
Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.
Hardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1633 | Virtualization/Sandbox Evasion | This object subtechnique of Virtualization/Sandbox Evasion. |
| Mobile | T1523 | Evade Analysis Environment | Evade Analysis Environment revoked by this object. |
Groups, software, and campaigns
G0112: Windshift
S1061: AbstractEmu
AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.[1]
S0525: Android/AdDisplay.Ashas
Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. [1]
S0301: Dendroid
S0485: Mandrake
Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.
Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]
S0423: Ginp
S0544: HenBox
S1083: Chameleon
Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]
S0545: TERRACOTTA
TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]
S0480: Cerberus
S0411: Rotexy
S0509: FakeSpy
S0422: Anubis
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d1f41ac3c5ff… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1633.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.