How to Prevent Malicious Use of Parallel Space and Virtual Space apps?
Parallel Space is a popular virtualization app that allows mobile users to make clones of Android apps and create multiple accounts for the same app that can run on the same physical “device”. It works by creating a separate container (an isolated environment where you can run other apps inside the container on the same virtualized environment). I use quotes around the word device because Parallel Space (and any of the apps like it) can run on many different platforms, not just Android. It runs on Android, Mac, Windows as well as emulators like BlueStacks and Nox, which makes it a very flexible tool for modding, cloning apps and using multiple accounts for the same mobile applications. For example, I just made a clone of a hugely popular social media app which I’m running on my personal Android phone and another clone of the same app that I’m running on the BlueStacks emulator. I’m using my ‘real’ ID on one account, and a fabricated ID that I just made up 10 minutes ago on the clones.
Now some of you might ask ‘so what’s wrong with that’?
Now, I’m an ethical hacker doing this with good intentions with the permission of the app maker. But most of the folks that use apps like Parallel Space (game cheaters, black hat hackers, cybercriminals, etc) do not ask for permission (they don’t need to), and are usually not acting in the interest of the app maker. And that’s the exact reason why the developers of apps for which Parallel Space targets might want to prevent users from using it (or at least control the manner in which it’s used).
Let me explain.
Mobile game developers and app publishers typically design their games with a specific set of design paradigms and usage scenarios. Two very important and very deliberate design assumptions of most mobile games are that they are intended for a single user (ie: a single account) and run on a mobile device (like an Android phone). One of the most important reasons for these design constraints is that it allows developers to ensure a high-quality, consistent, and supportable user experience for their games on which they can build a reliable product and monetization strategy. Apps like Parallel Space violate both of these design constraints and allow mobile users to run apps in virtualized environments and use multiple accounts on the same instance.
So let’s examine some of the reasons WHY people use ‘second space’ apps like Parallel Space for their own selfish benefit (and to the detriment of the app maker and mobile community at large).
Game Cheating
One of the most popular uses of apps like Parallel Space is cheating in mobile games to gain an unfair advantage. Parallel Space and virtualization frameworks like it allow game cheaters and hackers to run the target game in a virtualized environment, which benefits them in multiple ways. For one, running in a virtual space gives the cheater flexibility and scale. They can rapidly spin up instances and accounts at-will without needing to run the app on a physical device. Running virtual also allows them to cheat in games without rooting their own Android device, and manipulate RAM, networking elements, and other game properties in order to gain advantages.
One of the most popular uses of virtual space apps like Parallel Space is mobile game cheating.
Cloning, Modding & Multiple Account Creation
Another important benefit for cheaters, and perhaps the ‘killer feature’ that drives 90 million downloads of Parallel Space is the ability to create clones and mods of mobile apps/games and use those cloned apps across multiple accounts — all on the same device. Similar “Second Space” apps like Dual Space and 2Accounts allow users to create clones of almost any app or game on the Google Play Store. Running apps in multiple accounts is a must-have feature for game cheaters because it gives them a way to keep playing (and cheating) the game even if their account gets banned. Running multiple accounts is also useful in gaining unfair advantages in multiplayer games for many reasons, as it can enhance the cheater’s odds of winning by allowing more control over the game experience.
Hiding/cloaking (ie: Invisible Mode)
Second Space Apps often allow mobile users to hide the apps that they have cloned, which is a very useful feature for cyber-criminals or game cheaters, who almost always want to conceal their activities. After all, the best cybercrimes are often the ones that go undetected. And while apps like Parallel Space are used heavily for cheating in mobile games, the cloning and cloaking features extend the popularity and usefulness of second space apps to many other types of mobile applications. For example, the ability to create an unlimited number of random accounts and conceal activities enables all kinds of shady and malicious activities like money laundering, surveillance, cyber-bullying in social media apps, or synthetic fraud, credential stuffing, and identity theft in cash apps, loyalty apps, mobile banking apps, and much more.
Mobile Permission Harvesting & Abuse
Apps like Parallel Space often market themselves as ‘protecting user privacy’, claiming that they keep the user’s private data in a separate container. But the minute you install one Parallel Space, you get barraged with permission requests for every app that you want to use Parallel Space for, and it simply won’t work unless you grant the permissions. Each of those permissions, once granted, can be used in abusive, malicious, and unintended ways that are not always clear to the end-user. If you want to learn more about the hidden dangers of mobile app permissions, check out this blog on mobile malware
The Mobile Developer Dilemma
So what can you do as a mobile developer? On the one hand, it’s obvious to everyone that rampant cheating in mobile games (or in any other app type) is not good for anyone (except for the cheater of course). However, there are several fundamental and difficult problems that mobile game developers must grapple with in order to effectively prevent cheating. For one, there are many many ways to cheat in mobile games — using virtual space apps is just one method. There’s memory editing, hex editing, code injection, binary patching, auto-clickers, hacking in-app purchase logic, and fully automated cheating apps like Lucky Patcher, and many many more. I’ve covered many of these popular mobile game cheating methods in another blog.
Developers may not even know if a specific cheating method is being used to cheat in their game. They may suspect it, but they don’t really know. And even if they were fairly certain, preventing these cheating methods would require developers to build specific defenses into the application’s source code, one defense at a time. That’s an enormous amount of work, especially when using traditional mobile security solutions like open-source libraries or 3rd party SDKs. And finally, there’s the ever-important user experience. Mobile game developers are absolutely paranoid about implementing protections that might negatively impact the user experience.
Luckily, there‘s a different way. Mobile Developers need a solution that allows them to learn the specific cheating methods that are being used against their apps in the wild, and they also need a build system that allows them to build the specific protection into their game in a fully automated way, right from within their existing development processes.
Developers use Appdome’s No Code DevSecOps Build System to protect apps and games against malicious use of Parallel Space and other Second Space Apps. As a mobile developer, you can protect your Android app or mobile game so that malicious users can’t use apps like Parallel Space, virtualization frameworks, emulators, simulators, app players to create clones, mods or multiple accounts of your app, as well as other types of mobile fraud and/or cheating.
If you would like to talk more about this topic feel free to drop me an email at abavosa1@gmail.com. And if you’re a mobile developer who’s looking for a way to protect their game or app against virtualization tools, fraud, or malware, go ahead and reach out and I’d be happy to show you how you can build any of these protections into any iOS or Android app in just a few minutes — no coding required.
Cheers!
