# Introducing Multi-Instancing Detection for freeRASP

New version of [freeRASP](https://docs.talsec.app/freerasp) comes with new feature: [multi-instance detection](https://docs.talsec.app/freerasp/wiki/threat-detection/multi-instance-detection-android-devices-only) of Parallel Space. What is multi-instacing, why is it an issue and how to detect it?

<figure><img src="/files/LDJp2n64pZTJ2rUf3WnA" alt=""><figcaption></figcaption></figure>

## What is Multi-Instancing?

Multi-instancing allows multiple instances of the same application to run simultaneously on a single Android device. Normally, Android permits only one instance of an app. Users can bypass this limitation using third-party cloning tools, virtualization apps, or modified Android environments. Each instance operates independently with separate data storage, user accounts, and app state.&#x20;

<div align="center" data-full-width="false"><figure><img src="/files/AbxrYuioMHdvyEL9wgfK" alt=""><figcaption></figcaption></figure></div>

## Why Multi-Instancing Might be Bad

* **Fraud and Abuse**\
  Malicious actors can bypass "one-per-device" limitations for promotional offers, contests, or referral programs. They can create numerous fake accounts to generate fraudulent ad clicks, post fake reviews, or manipulate voting systems.
* **Security Bypass**\
  For high-security apps like banking or enterprise software, multi-instancing poses a significant threat. An attacker could use the sandboxed environment to analyze the app's behavior, attempt to bypass root detection, or tamper with its data in a controlled setting.
* **Privacy Risks**\
  The cloner app itself acts as a [Man-in-the-Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). Applications like Parallel Space have the (technical) ability to read, modify, and log all data from the "cloned" app. This includes login credentials, private messages, and financial information.

## How Does Multi-Instancing Work?

Achieving multi-instancing can be achieved using different techniques:

* **Work Profile**\
  Feature of Android which allows users to separate personal and work-related apps, data and settings on the same device by creating a secure container. Each work profile has its own user ID, creating a distinct environment that keeps data isolated.
* **App Clonning**\
  Works by modifying the package name of the application. Android then sees these applications as separate.
* **Manufacturer Feature**\
  Some manufacturers provide before-mentioned app clonning as system feature (like [Xiaomi Dual App](https://www.mi.com/global/support/faq/details/KA-484739/))
* **Third-Party Apps**\
  There are applictions like Parallel Space which may use some other technical solution than app clonning.

## How Does Parallel Space Work?

Parallel Space has a bit unique approach to multi-instancing. Instead of clonning an app, it creates a sandboxed, virtualized environment — container — on the user's device. When you "clone" an app Parallel Space does the following:

1. **Creates an Isolated Space**\
   It sets up a dedicated directory structure for the cloned app, separate from the original app's data.
2. **Intercepts and Proxies Calls**\
   The cloned app runs inside this container. Every system request it makes—for file access, contact lists, network connections, or hardware IDs—is intercepted by Parallel Space.
3. **Remaps Resources**\
   Parallel Space then forwards these requests to the Android operating system, but it modifies them to prevent conflicts. For example, it directs file read/write operations to its own sandboxed directory, not the original app's directory.

This approach effectively hides "cloned" app. To the Android OS, only one app is running - Parallel Space. Virtual app is just a process running within Parallel Space container.

## Detecting Parallel Space using freeRASP

New version of freeRASP allows easy detection of multi-instancing. freeRASP can detect multi-instancing using Parallel Space.  New callback to threat — `onMultiInstance` .  Currently, freeRASP can detect multi-instancing using Parallel Space, with more detection techniques coming soon:

{% tabs %}
{% tab title="Kotlin" %}

```kotlin
val listener = object : ThreatListener.ThreatDetected {
   // ...other callbacks...
   override fun onMultiInstanceDetected {
      // Reaction  
   }
}
```

{% endtab %}

{% tab title="Flutter" %}

```dart
    final threatCallback = ThreatCallback(
       // ...other callbacks...
       onMultiInstance: () {
          // Reaction
       }
    );
```

{% endtab %}

{% tab title="React Native" %}

```typescript
const actions = {
   // ...other callbacks...
   multiInstance: () => {
      // Reaction
   }
}
```

{% endtab %}

{% tab title="Cordova" %}

```typescript
const actions = {
   // ...other callbacks...
   multiInstance: () => {
      // Reaction
   }
}
```

{% endtab %}

{% tab title="Capacitor" %}

```typescript
const actions = {
   // ...other callbacks...
   multiInstance: () => {
      // Reaction
   }
}
```

{% endtab %}
{% endtabs %}

You can find this feature in current newest version of freeRASP:

| Plaftform/Framework                                                       | Version |
| ------------------------------------------------------------------------- | ------- |
| [Android](https://docs.talsec.app/freerasp/integration/android)           | 16.0.1+ |
| [Flutter](https://docs.talsec.app/freerasp/integration/flutter)           | 7.2.0+  |
| [React Native](https://docs.talsec.app/freerasp/integration/react-native) | 4.2.0+  |
| [Capacitor](https://docs.talsec.app/freerasp/integration/capacitor)       | 2.2.0+  |
| [Cordova](https://docs.talsec.app/freerasp/integration/cordova)           | 8.1.0+  |

*If you liked this article, you may find useful also this one:* [Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention](https://docs.talsec.app/appsec-articles/articles/fraud-proofing-an-android-app-choosing-the-best-device-id-for-promo-abuse-prevention)

<table data-card-size="large" data-view="cards"><thead><tr><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td>Fraud-Proofing an Android App: Choosing the Best Device ID for Promo Abuse Prevention</td><td><a href="/files/t0KmarZx3XLRvSTacZel">/files/t0KmarZx3XLRvSTacZel</a></td><td><a href="/pages/MnDvO5f00CA4jQ4Qfo9X">/pages/MnDvO5f00CA4jQ4Qfo9X</a></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.talsec.app/appsec-articles/articles/introducing-multi-instancing-detection-for-freerasp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.