Emulator Detection
Protection Module: EmulatorDetection
Available For
Linux (Wine detection) macOS (Wine + Rosetta 2 detection) Windows (Limited support)
How It Works
The Emulator Detection module identifies runtime emulation layers and compatibility environments that can obscure actual platform capabilities or introduce security risks. It detects Wine-based emulation and Apple's Rosetta 2 translation environment through process enumeration, environment variables, filesystem artifacts, and architecture comparisons.
Detection Techniques
Wine Detection (Linux, macOS, Windows):
- Environment Variables: Checks for
WINE,WINEPREFIX,WINESERVER, and other Wine-specific environment variables - Filesystem Artifacts: Scans for Wine directories (
/usr/lib/wine,~/.wine, registry files) - Process Enumeration: Uses
ProcessHandle.allProcesses()to detect Wine server processes (wine,wineserver) running on the system - Registry Keys: Checks Windows registry for Wine installation markers
Rosetta 2 Detection (macOS):
- Architecture Mismatch: Compares
os.archproperty againstsysctl hw.optional.arm64to detect ARM64 translation - Process Architecture: Identifies processes running under Rosetta translation layer
- System Capabilities: Checks for native ARM64 support vs. translated execution
Detection Confidence: 0.95 Default Detection Interval: 5 minutes Caching: Results cached permanently (until process restart)
JSON Configuration
JSON
{
"protections": [
{
"type": "EmulatorDetection",
"action": "block",
"intervalMs": 300000
}
]
}{
"protections": [
{
"type": "EmulatorDetection",
"action": "block",
"intervalMs": 300000
}
]
}Code-Based Configuration
Kotlin
Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
ActionType.BLOCK,
300000
)
}import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
ActionType.BLOCK,
300000
)
}Java
Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
ActionType.BLOCK,
300000
);
});import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
ActionType.BLOCK,
300000
);
});Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Close | Terminate application immediately | Production apps with critical IP |
| Log | Record incident and continue | Development, analytics |
| Erase | Securely delete data then terminate | Financial, healthcare apps |
| Custom | Execute custom handler | Enterprise integrations |
| None | Detect only, no action | Testing configurations |
| Block | Block the operation (cloud modules) | Cloud protection modules |
See Actions for detailed action documentation.
When to Use
Enable Emulator Detection when:
- Protecting against unauthorized environment manipulation
- Running on Linux/macOS systems where Wine emulation is a concern
- Detecting Apple Silicon compatibility shims (Rosetta 2)
- Preventing code execution in incompatible runtime environments
- Enforcing native execution on target architecture
- Detecting security research using emulation layers
Code Examples
Kotlin - Basic Integration with Process Detection
Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
class Application : android.app.Application() {
override fun onCreate() {
super.onCreate()
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
ActionType.CLOSE,
300000
)
}
}
}import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
class Application : android.app.Application() {
override fun onCreate() {
super.onCreate()
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
ActionType.CLOSE,
300000
)
}
}
}Kotlin - Custom Action with Environment Analysis
Kotlin
Monitor.configure { config ->
config.registerCustomAction("emulator-handler") { threat ->
val threatType = threat.getThreatType()
val confidence = threat.getConfidence()
val metadata = threat.getMetadata()
Log.e("Security", "Emulation environment detected: $threatType")
Log.d("Metadata", "Confidence: $confidence, Details: $metadata")
when (threatType) {
"wine_detected" -> handleWineEnvironment(metadata)
"rosetta2_detected" -> handleRosettaEnvironment(metadata)
else -> handleUnknownEmulator(metadata)
}
}
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
"emulator-handler",
300000
)
}
private fun handleWineEnvironment(metadata: Map<String, Any>) {
// Wine-specific handling
Log.w("Security", "Wine processes: ${metadata["processes"]}")
disableNetworkFeatures()
}
private fun handleRosettaEnvironment(metadata: Map<String, Any>) {
// Rosetta 2-specific handling
Log.w("Security", "Rosetta translation detected: ${metadata["architecture"]}")
reducePerfSensitiveOperations()
}Monitor.configure { config ->
config.registerCustomAction("emulator-handler") { threat ->
val threatType = threat.getThreatType()
val confidence = threat.getConfidence()
val metadata = threat.getMetadata()
Log.e("Security", "Emulation environment detected: $threatType")
Log.d("Metadata", "Confidence: $confidence, Details: $metadata")
when (threatType) {
"wine_detected" -> handleWineEnvironment(metadata)
"rosetta2_detected" -> handleRosettaEnvironment(metadata)
else -> handleUnknownEmulator(metadata)
}
}
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
"emulator-handler",
300000
)
}
private fun handleWineEnvironment(metadata: Map<String, Any>) {
// Wine-specific handling
Log.w("Security", "Wine processes: ${metadata["processes"]}")
disableNetworkFeatures()
}
private fun handleRosettaEnvironment(metadata: Map<String, Any>) {
// Rosetta 2-specific handling
Log.w("Security", "Rosetta translation detected: ${metadata["architecture"]}")
reducePerfSensitiveOperations()
}Java - Conditional Actions Based on Environment
Java
Monitor.configure(config -> {
config.registerCustomAction("emulator-check", threat -> {
double confidence = threat.getConfidence();
String threatType = threat.getThreatType();
// Strict in production
if (confidence > 0.95) {
Log.e("Security", "Confirmed emulation: " + threatType);
secureDataAndExit();
}
// Warn on lower confidence
if (confidence > 0.7) {
Log.w("Security", "Possible emulation: " + threatType);
enableSafeMode();
}
});
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
"emulator-check",
300000
);
});
private static void secureDataAndExit() {
// Perform secure data wipe
System.exit(1);
}
private static void enableSafeMode() {
// Reduce sensitive functionality
}Monitor.configure(config -> {
config.registerCustomAction("emulator-check", threat -> {
double confidence = threat.getConfidence();
String threatType = threat.getThreatType();
// Strict in production
if (confidence > 0.95) {
Log.e("Security", "Confirmed emulation: " + threatType);
secureDataAndExit();
}
// Warn on lower confidence
if (confidence > 0.7) {
Log.w("Security", "Possible emulation: " + threatType);
enableSafeMode();
}
});
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
"emulator-check",
300000
);
});
private static void secureDataAndExit() {
// Perform secure data wipe
System.exit(1);
}
private static void enableSafeMode() {
// Reduce sensitive functionality
}Java - Wine Detection with Logging
Java
Monitor.configure(config -> {
config.registerCustomAction("wine-detector", threat -> {
Map<String, Object> metadata = threat.getMetadata();
if (metadata.containsKey("wine_processes")) {
@SuppressWarnings("unchecked")
List<String> processes = (List<String>) metadata.get("wine_processes");
Log.e("Security", "Wine processes detected: " + processes);
}
if (metadata.containsKey("wine_environment_vars")) {
@SuppressWarnings("unchecked")
Map<String, String> envVars = (Map<String, String>) metadata.get("wine_environment_vars");
Log.e("Security", "Wine environment: " + envVars.keySet());
}
});
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
"wine-detector",
300000
);
});Monitor.configure(config -> {
config.registerCustomAction("wine-detector", threat -> {
Map<String, Object> metadata = threat.getMetadata();
if (metadata.containsKey("wine_processes")) {
@SuppressWarnings("unchecked")
List<String> processes = (List<String>) metadata.get("wine_processes");
Log.e("Security", "Wine processes detected: " + processes);
}
if (metadata.containsKey("wine_environment_vars")) {
@SuppressWarnings("unchecked")
Map<String, String> envVars = (Map<String, String>) metadata.get("wine_environment_vars");
Log.e("Security", "Wine environment: " + envVars.keySet());
}
});
config.addProtection(
ProtectionModuleType.EMULATOR_DETECTION,
"wine-detector",
300000
);
});Platform Compatibility
| Platform | Status | Notes |
|---|---|---|
| Linux | ✓ Fully Supported | Wine detection via environment and process enumeration |
| macOS 10.16+ | ✓ Fully Supported | Wine + Rosetta 2 detection |
| Windows | ◐ Limited | Wine detection only, no Rosetta support |
| Docker/Containers | ◐ Limited | Process enumeration may be restricted |
| Virtualized Linux | ◐ Limited | Wine detection functional, process access varies |
Performance Impact
- CPU Impact: < 1% increase during detection cycles
- Memory Overhead: ~150 KB for process cache
- Detection Latency: 50-150 ms per cycle
- Battery Impact: Minimal (one-time detection with caching)
- Note: Results cached permanently per process lifetime
Threat Detection Details
When emulation is detected, the module generates detection results:
JSON
{
"threatType": "wine_detected",
"description": "Wine emulation environment identified via process enumeration",
"confidence": 0.95,
"timestamp": "2026-03-02T15:45:22.103Z",
"metadata": {
"detectionMethod": "process_enumeration",
"wine_processes": ["wine", "wineserver"],
"wine_environment_vars": ["WINE", "WINEPREFIX"],
"wine_directories": ["/usr/lib/wine", "/home/user/.wine"],
"platform": "Linux"
}
}{
"threatType": "wine_detected",
"description": "Wine emulation environment identified via process enumeration",
"confidence": 0.95,
"timestamp": "2026-03-02T15:45:22.103Z",
"metadata": {
"detectionMethod": "process_enumeration",
"wine_processes": ["wine", "wineserver"],
"wine_environment_vars": ["WINE", "WINEPREFIX"],
"wine_directories": ["/usr/lib/wine", "/home/user/.wine"],
"platform": "Linux"
}
}JSON
{
"threatType": "rosetta2_detected",
"description": "Apple Rosetta 2 translation layer detected on ARM64 system",
"confidence": 0.95,
"timestamp": "2026-03-02T15:45:22.103Z",
"metadata": {
"detectionMethod": "architecture_comparison",
"reported_arch": "x86_64",
"actual_arch": "arm64",
"hw_optional_arm64": 1,
"platform": "macOS"
}
}{
"threatType": "rosetta2_detected",
"description": "Apple Rosetta 2 translation layer detected on ARM64 system",
"confidence": 0.95,
"timestamp": "2026-03-02T15:45:22.103Z",
"metadata": {
"detectionMethod": "architecture_comparison",
"reported_arch": "x86_64",
"actual_arch": "arm64",
"hw_optional_arm64": 1,
"platform": "macOS"
}
}