T1670: Virtualization Solution
Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.[1] There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).[2]
Through virtualization solutions, adversaries may execute malicious operations without user knowledge. For example, adversaries may mimic a legitimate banking application’s functionalities in a virtual environment, thanks to the virtualization solution, while malicious code captures credentials.
Analyst context for executives and security teams
Virtualization Solution (T1670) matters because it describes Android malware using virtualization to work around normal app sandbox assumptions and hide malicious activity from the user. For leaders, the practical issue is trust: a mobile device may appear to be running a legitimate app experience while credential capture or other malicious operations occur in a virtualized environment.
Executive priority
Treat this as a mobile identity and fraud-risk concern, especially where Android devices are used for banking, cryptocurrency, workforce access, or sensitive customer interactions. The supplied ATT&CK context links this behavior to GodFather, an Android banking malware family, and to user guidance as the listed mitigation. Executives should ask whether mobile security programs can evidence risky-app prevention, user awareness, mobile incident triage, and visibility into suspicious permission or app behavior on Android endpoints.
Technical view
The object is an Android mobile technique with no ATT&CK tactic or official detection text provided. SOC, detection, and IR teams should validate coverage against the related detection strategy DET0606 and focus on Android evidence that could indicate apps abusing virtualization to mimic legitimate app workflows, avoid sandbox expectations, or operate without user awareness. Relationship context to GodFather makes banking-app imitation, sensitive-data capture, accessibility-service abuse, and risky permissions relevant investigation pivots, but local telemetry is required to confirm any specific case.
Likely telemetry
- Android application inventory and installation source data
- Mobile device management or enterprise mobility management compliance signals
- Android app permission grants, especially sensitive permissions and accessibility service usage
- Mobile security alerts for suspicious app behavior or app impersonation
- User reports of unexpected banking, wallet, exchange, or authentication prompts
Detection direction
- Review DET0606 content where available and map it to the organization’s Android telemetry sources.
- Validate whether mobile tooling can identify suspicious virtualization framework usage or apps presenting mimicked legitimate application flows.
- Tune investigations around combinations of risky permissions, accessibility-service abuse, app impersonation indicators, and sensitive credential-entry workflows.
- Avoid assuming detection is complete: ATT&CK provides no official detection text for T1670, and Android telemetry can be limited depending on device ownership, privacy model, and management depth.
- Use the GodFather relationship as context for hunting and enrichment, not as proof that every virtualization-related finding is GodFather activity.
Mitigation priorities
- Prioritize user guidance for Android users, consistent with ATT&CK mitigation M1011, covering risky app sources, permission prompts, accessibility-service requests, and suspicious app-login experiences.
- Where organizationally feasible, enforce managed-device policies that limit untrusted app installation and improve visibility into installed applications and permissions.
- Establish mobile IR playbooks for suspected credential capture or banking-app impersonation, including account protection and device review steps.
- Align mobile security controls with identity risk processes so suspected mobile credential capture can trigger appropriate access review and response.
- Maintain evidence for compliance and audit showing user guidance, mobile policy enforcement, and incident handling procedures for Android threats.
Analyst notes and limits
This take is based on ATT&CK T1670 version 1.0 in the mobile domain, Android platform, two Android Open Source Project references, the DET0606 detection-strategy relationship, M1011 User Guidance mitigation, and the S1231 GodFather software relationship. The ATT&CK description specifically emphasizes virtualization as a way to escape Android sandbox assumptions, avoid detection, and mimic legitimate banking application functionality while capturing credentials.
ATT&CK supplied no tactic and no official detection text for this technique. The relationship data supports Android and GodFather context, but does not establish activity in any specific environment. Local mobile management coverage, privacy constraints, device ownership, app telemetry, and incident evidence determine whether this behavior can be detected or investigated effectively.
Virtualization Solution
Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.[1] There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).[2]
Through virtualization solutions, adversaries may execute malicious operations without user knowledge. For example, adversaries may mimic a legitimate banking application’s functionalities in a virtual environment, thanks to the virtualization solution, while malicious code captures credentials.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S1231: GodFather
GodFather is an Android banking malware that uses virtualization to mimic legitimate applications and abuses accessibility services and other permissions to evade detection and exfiltrate sensitive data. First identified in 2020, GodFather targets nearly 500 banking applications, cryptocurrency wallets, and exchanges worldwide; however, its virtualization-based attacks have primarily focused on several Turkish financial institutions. This capability enables threat actors to steal banking credentials and other sensitive account information. [1][2]
S1208: FjordPhantom
FjordPhantom is a malicious Android application first discovered in September 2024 with targets in Southeast Asia, specifically Indonesia, Thailand, and Vietnam. FjordPhantom was distributed through email and messaging applications. Once installed, the application launches a virtualization solution to steal important information, such as bank accounts, and to manipulate the user interface. The malicious activity from the virtualization solution runs alongside legitimate banking applications.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a6877772af49… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Android Application Sandbox
Android Open Source Project. (n.d.). Application Sandbox. Retrieved February 26, 2025.
Open source URL -
[2]
Android AVF Overview
Android Open Source Project. (n.d.). Android Virtualization Framework (AVF) overview. Retrieved February 26, 2025.
Open source URL -
[3]
mitre-attack T1670Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.