# Introducing Multi-Instancing Detection for freeRASP
New version of [freeRASP](https://docs.talsec.app/freerasp) comes with new feature: [multi-instance detection](https://docs.talsec.app/freerasp/wiki/threat-detection/multi-instance-detection-android-devices-only) of Parallel Space. What is multi-instacing, why is it an issue and how to detect it?
## What is Multi-Instancing?
Multi-instancing allows multiple instances of the same application to run simultaneously on a single Android device. Normally, Android permits only one instance of an app. Users can bypass this limitation using third-party cloning tools, virtualization apps, or modified Android environments. Each instance operates independently with separate data storage, user accounts, and app state.
## Why Multi-Instancing Might be Bad
* **Fraud and Abuse**\
Malicious actors can bypass "one-per-device" limitations for promotional offers, contests, or referral programs. They can create numerous fake accounts to generate fraudulent ad clicks, post fake reviews, or manipulate voting systems.
* **Security Bypass**\
For high-security apps like banking or enterprise software, multi-instancing poses a significant threat. An attacker could use the sandboxed environment to analyze the app's behavior, attempt to bypass root detection, or tamper with its data in a controlled setting.
* **Privacy Risks**\
The cloner app itself acts as a [Man-in-the-Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). Applications like Parallel Space have the (technical) ability to read, modify, and log all data from the "cloned" app. This includes login credentials, private messages, and financial information.
## How Does Multi-Instancing Work?
Achieving multi-instancing can be achieved using different techniques:
* **Work Profile**\
Feature of Android which allows users to separate personal and work-related apps, data and settings on the same device by creating a secure container. Each work profile has its own user ID, creating a distinct environment that keeps data isolated.
* **App Clonning**\
Works by modifying the package name of the application. Android then sees these applications as separate.
* **Manufacturer Feature**\
Some manufacturers provide before-mentioned app clonning as system feature (like [Xiaomi Dual App](https://www.mi.com/global/support/faq/details/KA-484739/))
* **Third-Party Apps**\
There are applictions like Parallel Space which may use some other technical solution than app clonning.
## How Does Parallel Space Work?
Parallel Space has a bit unique approach to multi-instancing. Instead of clonning an app, it creates a sandboxed, virtualized environment — container — on the user's device. When you "clone" an app Parallel Space does the following:
1. **Creates an Isolated Space**\
It sets up a dedicated directory structure for the cloned app, separate from the original app's data.
2. **Intercepts and Proxies Calls**\
The cloned app runs inside this container. Every system request it makes—for file access, contact lists, network connections, or hardware IDs—is intercepted by Parallel Space.
3. **Remaps Resources**\
Parallel Space then forwards these requests to the Android operating system, but it modifies them to prevent conflicts. For example, it directs file read/write operations to its own sandboxed directory, not the original app's directory.
This approach effectively hides "cloned" app. To the Android OS, only one app is running - Parallel Space. Virtual app is just a process running within Parallel Space container.
## Detecting Parallel Space using freeRASP
New version of freeRASP allows easy detection of multi-instancing. freeRASP can detect multi-instancing using Parallel Space. New callback to threat — `onMultiInstance` . Currently, freeRASP can detect multi-instancing using Parallel Space, with more detection techniques coming soon:
{% tabs %}
{% tab title="Kotlin" %}
```kotlin
val listener = object : ThreatListener.ThreatDetected {
// ...other callbacks...
override fun onMultiInstanceDetected {
// Reaction
}
}
```
{% endtab %}
{% tab title="Flutter" %}
```dart
final threatCallback = ThreatCallback(
// ...other callbacks...
onMultiInstance: () {
// Reaction
}
);
```
{% endtab %}
{% tab title="React Native" %}
```typescript
const actions = {
// ...other callbacks...
multiInstance: () => {
// Reaction
}
}
```
{% endtab %}
{% tab title="Cordova" %}
```typescript
const actions = {
// ...other callbacks...
multiInstance: () => {
// Reaction
}
}
```
{% endtab %}
{% tab title="Capacitor" %}
```typescript
const actions = {
// ...other callbacks...
multiInstance: () => {
// Reaction
}
}
```
{% endtab %}
{% endtabs %}
You can find this feature in current newest version of freeRASP:
| Plaftform/Framework | Version |
| ------------------------------------------------------------------------- | ------- |
| [Android](https://docs.talsec.app/freerasp/integration/android) | 16.0.1+ |
| [Flutter](https://docs.talsec.app/freerasp/integration/flutter) | 7.2.0+ |
| [React Native](https://docs.talsec.app/freerasp/integration/react-native) | 4.2.0+ |
| [Capacitor](https://docs.talsec.app/freerasp/integration/capacitor) | 2.2.0+ |
| [Cordova](https://docs.talsec.app/freerasp/integration/cordova) | 8.1.0+ |
*If you liked this article, you may find useful also this one:* [Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention](https://docs.talsec.app/appsec-articles/articles/fraud-proofing-an-android-app-choosing-the-best-device-id-for-promo-abuse-prevention)
Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention
