Introducing Multi-Instancing Detection for freeRASP
New version of freeRASP comes with new feature: multi-instance detection of Parallel Space. What is multi-instacing, why is it an issue and how to detect it?
What is Multi-Instancing?
Multi-instancing allows multiple instances of the same application to run simultaneously on a single Android device. Normally, Android permits only one instance of an app. Users can bypass this limitation using third-party cloning tools, virtualization apps, or modified Android environments. Each instance operates independently with separate data storage, user accounts, and app state.
Why Multi-Instancing Might be Bad
Fraud and Abuse Malicious actors can bypass "one-per-device" limitations for promotional offers, contests, or referral programs. They can create numerous fake accounts to generate fraudulent ad clicks, post fake reviews, or manipulate voting systems.
Security Bypass For high-security apps like banking or enterprise software, multi-instancing poses a significant threat. An attacker could use the sandboxed environment to analyze the app's behavior, attempt to bypass root detection, or tamper with its data in a controlled setting.
Privacy Risks The cloner app itself acts as a Man-in-the-Middle (MITM). Applications like Parallel Space have the (technical) ability to read, modify, and log all data from the "cloned" app. This includes login credentials, private messages, and financial information.
How Does Multi-Instancing Work?
Achieving multi-instancing can be achieved using different techniques:
Work Profile Feature of Android which allows users to separate personal and work-related apps, data and settings on the same device by creating a secure container. Each work profile has its own user ID, creating a distinct environment that keeps data isolated.
App Clonning Works by modifying the package name of the application. Android then sees these applications as separate.
Manufacturer Feature Some manufacturers provide before-mentioned app clonning as system feature (like Xiaomi Dual App)
Third-Party Apps There are applictions like Parallel Space which may use some other technical solution than app clonning.
How Does Parallel Space Work?
Parallel Space has a bit unique approach to multi-instancing. Instead of clonning an app, it creates a sandboxed, virtualized environment — container — on the user's device. When you "clone" an app Parallel Space does the following:
Creates an Isolated Space It sets up a dedicated directory structure for the cloned app, separate from the original app's data.
Intercepts and Proxies Calls The cloned app runs inside this container. Every system request it makes—for file access, contact lists, network connections, or hardware IDs—is intercepted by Parallel Space.
Remaps Resources Parallel Space then forwards these requests to the Android operating system, but it modifies them to prevent conflicts. For example, it directs file read/write operations to its own sandboxed directory, not the original app's directory.
This approach effectively hides "cloned" app. To the Android OS, only one app is running - Parallel Space. Virtual app is just a process running within Parallel Space container.
Detecting Parallel Space using freeRASP
New version of freeRASP allows easy detection of multi-instancing. freeRASP can detect multi-instancing using Parallel Space. New callback to threat — onMultiInstance . Currently, freeRASP can detect multi-instancing using Parallel Space, with more detection techniques coming soon:
val listener = object : ThreatListener.ThreatDetected {
// ...other callbacks...
override fun onMultiInstanceDetected {
// Reaction
}
}You can find this feature in current newest version of freeRASP:
If you liked this article, you may find useful also this one: Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention
Last updated
Was this helpful?