Virtual Machine Detection
Protection Module: VirtualMachineDetection
Available For
Android (Emulator detection) Desktop (VM/Container detection)
How It Works
The Virtual Machine Detection module identifies when an application is running within virtualized or emulated environments. It uses platform-specific detection techniques to identify common hypervisors, Android emulators, and container runtimes through hardware signatures, system properties, and process enumeration.
Detection Techniques
Desktop Virtual Machines:
- VM Driver Files: Checks for driver files like
/sys/devices/virtual/dmi/id/(Linux), checking forvmware.sys,vboxguest.sys(Windows) - DMI Identification: Reads
/sys/class/dmi/id/*files for manufacturer, product name, and system info - CPU Hypervisor Flag: Scans
/proc/cpuinfofor hypervisor detection bit - Systemd Detection: Runs
systemd-detect-virtto identify virtualization type - VM Process Detection: Enumerates processes for common VM management tools
- Detects: VMware, VirtualBox, Hyper-V, Parallels, QEMU, KVM, Xen, Docker, LXC, Kubernetes
Android Emulator Detection:
- System Properties: Checks
ro.kernel.qemu=1,ro.hardware=goldfish/ranchu - Build Properties: Analyzes
Build.HARDWARE,Build.PRODUCT,Build.MODEL,Build.FINGERPRINTfor emulator signatures - QEMU Sockets: Checks for
/dev/socket/qemud - Genymotion Detection: Identifies Genymotion-specific properties and binaries
- Detects: Goldfish, Ranchu, Genymotion, and other Android emulators
Dynamic Sensitivity Levels:
strict(confidence: 0.5): One indicator triggers detectionnormal(confidence: 0.7): Multiple indicators requiredlenient(confidence: 0.9): High confidence threshold
Default detection interval: 5 minutes Caching: Results cached permanently
JSON Configuration
JSON
{
"protections": [
{
"type": "VirtualMachineDetection",
"action": "close",
"intervalMs": 300000
}
]
}{
"protections": [
{
"type": "VirtualMachineDetection",
"action": "close",
"intervalMs": 300000
}
]
}Code-Based Configuration
Kotlin
Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
ActionType.CLOSE,
300000
)
}import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
ActionType.CLOSE,
300000
)
}Java
Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
ActionType.CLOSE,
300000
);
});import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
ActionType.CLOSE,
300000
);
});Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Close | Terminate application immediately | Production apps with critical IP |
| Log | Record incident and continue | Development, analytics |
| Erase | Securely delete data then terminate | Financial, healthcare apps |
| Custom | Execute custom handler | Enterprise integrations |
| None | Detect only, no action | Testing configurations |
| Block | Block the operation (cloud modules) | Cloud protection modules |
See Actions for detailed action documentation.
When to Use
Enable Virtual Machine Detection when:
- Protecting against automated testing and analysis
- Preventing app testing in uncontrolled lab environments
- Restricting access to premium features in non-production environments
- Detecting security research and reverse engineering attempts
- Preventing malware testing in isolated environments
- Enforcing real-device or native execution for sensitive operations
- Protecting cryptocurrency trading apps and financial software
Code Examples
Kotlin - Basic Integration
Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
class SecurityApplication : Application() {
override fun onCreate() {
super.onCreate()
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
ActionType.CLOSE,
300000
)
}
}
}import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
class SecurityApplication : Application() {
override fun onCreate() {
super.onCreate()
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
ActionType.CLOSE,
300000
)
}
}
}Kotlin - Custom Action with VM Type Handling
Kotlin
Monitor.configure { config ->
config.registerCustomAction("vm-detector") { threat ->
val threatType = threat.getThreatType()
val confidence = threat.getConfidence()
val metadata = threat.getMetadata()
Log.e("Security", "VM/Emulator detected: $threatType (confidence: $confidence)")
when (threatType) {
"android_emulator" -> handleAndroidEmulator(metadata)
"vmware" -> handleVMware(metadata)
"virtualbox" -> handleVirtualBox(metadata)
"docker" -> handleDocker(metadata)
else -> handleUnknownVM(threatType, metadata)
}
}
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
"vm-detector",
300000
)
}
private fun handleAndroidEmulator(metadata: Map<String, Any>) {
Log.w("Security", "Android emulator: ${metadata["emulator_type"]}")
disableInAppPurchases()
}
private fun handleVMware(metadata: Map<String, Any>) {
Log.w("Security", "VMware detected via ${metadata["detection_method"]}")
System.exit(1)
}
private fun handleVirtualBox(metadata: Map<String, Any>) {
Log.w("Security", "VirtualBox detected. Exiting.")
System.exit(1)
}
private fun handleDocker(metadata: Map<String, Any>) {
Log.w("Security", "Docker container detected.")
System.exit(1)
}
private fun handleUnknownVM(threatType: String, metadata: Map<String, Any>) {
Log.e("Security", "Unknown VM environment: $threatType")
System.exit(1)
}
private fun disableInAppPurchases() {
// Disable monetization
}Monitor.configure { config ->
config.registerCustomAction("vm-detector") { threat ->
val threatType = threat.getThreatType()
val confidence = threat.getConfidence()
val metadata = threat.getMetadata()
Log.e("Security", "VM/Emulator detected: $threatType (confidence: $confidence)")
when (threatType) {
"android_emulator" -> handleAndroidEmulator(metadata)
"vmware" -> handleVMware(metadata)
"virtualbox" -> handleVirtualBox(metadata)
"docker" -> handleDocker(metadata)
else -> handleUnknownVM(threatType, metadata)
}
}
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
"vm-detector",
300000
)
}
private fun handleAndroidEmulator(metadata: Map<String, Any>) {
Log.w("Security", "Android emulator: ${metadata["emulator_type"]}")
disableInAppPurchases()
}
private fun handleVMware(metadata: Map<String, Any>) {
Log.w("Security", "VMware detected via ${metadata["detection_method"]}")
System.exit(1)
}
private fun handleVirtualBox(metadata: Map<String, Any>) {
Log.w("Security", "VirtualBox detected. Exiting.")
System.exit(1)
}
private fun handleDocker(metadata: Map<String, Any>) {
Log.w("Security", "Docker container detected.")
System.exit(1)
}
private fun handleUnknownVM(threatType: String, metadata: Map<String, Any>) {
Log.e("Security", "Unknown VM environment: $threatType")
System.exit(1)
}
private fun disableInAppPurchases() {
// Disable monetization
}Java - Emulator-Specific Handling
Java
Monitor.configure(config -> {
config.registerCustomAction("emulator-check", threat -> {
Map<String, Object> metadata = threat.getMetadata();
String threatType = threat.getThreatType();
if (threatType.contains("emulator")) {
@SuppressWarnings("unchecked")
Map<String, String> buildProps = (Map<String, String>) metadata.get("build_properties");
Log.e("Security", "Emulator detected");
Log.d("Details", "Model: " + buildProps.get("model"));
Log.d("Details", "Fingerprint: " + buildProps.get("fingerprint"));
disableSecurityFeatures();
}
});
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
"emulator-check",
300000
);
});
private static void disableSecurityFeatures() {
// Reduce features for emulated environment
}Monitor.configure(config -> {
config.registerCustomAction("emulator-check", threat -> {
Map<String, Object> metadata = threat.getMetadata();
String threatType = threat.getThreatType();
if (threatType.contains("emulator")) {
@SuppressWarnings("unchecked")
Map<String, String> buildProps = (Map<String, String>) metadata.get("build_properties");
Log.e("Security", "Emulator detected");
Log.d("Details", "Model: " + buildProps.get("model"));
Log.d("Details", "Fingerprint: " + buildProps.get("fingerprint"));
disableSecurityFeatures();
}
});
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
"emulator-check",
300000
);
});
private static void disableSecurityFeatures() {
// Reduce features for emulated environment
}Java - Conditional Based on Environment
Java
Monitor.configure(config -> {
config.registerCustomAction("env-check", threat -> {
double confidence = threat.getConfidence();
// Only block high-confidence detections
if (confidence > 0.8) {
Log.e("Security", "High-confidence VM/Emulator: " + threat.getThreatType());
System.exit(1);
} else if (confidence > 0.6) {
Log.w("Security", "Possible VM/Emulator environment");
// Restrict features
}
});
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
"env-check",
300000
);
});Monitor.configure(config -> {
config.registerCustomAction("env-check", threat -> {
double confidence = threat.getConfidence();
// Only block high-confidence detections
if (confidence > 0.8) {
Log.e("Security", "High-confidence VM/Emulator: " + threat.getThreatType());
System.exit(1);
} else if (confidence > 0.6) {
Log.w("Security", "Possible VM/Emulator environment");
// Restrict features
}
});
config.addProtection(
ProtectionModuleType.VIRTUAL_MACHINE_DETECTION,
"env-check",
300000
);
});Platform Compatibility
| Platform | Status | Notes |
|---|---|---|
| Android 5.0+ | ✓ Fully Supported | Android emulator detection via properties |
| Android 10+ | ✓ Optimized | Enhanced QEMU and Genymotion detection |
| Linux | ✓ Fully Supported | VM driver, DMI, and systemd-detect-virt |
| macOS | ✓ Fully Supported | Hypervisor framework detection |
| Windows | ✓ Fully Supported | WMI and driver detection |
| Docker | ✓ Detected | cgroup and namespace detection |
| Kubernetes | ◐ Supported | Container environment detection |
Performance Impact
- CPU Impact: < 1% increase during detection cycles
- Memory Overhead: ~250 KB for property cache
- Detection Latency: 100-250 ms per cycle
- Battery Impact: Minimal (one-time detection with caching)
Threat Detection Details
Android Emulator Detection:
JSON
{
"threatType": "android_emulator",
"description": "Android emulator detected via system properties",
"confidence": 0.95,
"timestamp": "2026-03-02T15:20:33.847Z",
"metadata": {
"detectionMethod": "system_property_analysis",
"emulator_type": "goldfish",
"ro_kernel_qemu": "1",
"ro_hardware": "goldfish",
"build_fingerprint": "google/sdk_google_phone_x86/generic_x86:14/UPB1.231015.013",
"build_model": "sdk_google_phone_x86",
"api_level": 34,
"qemud_socket_found": true
}
}{
"threatType": "android_emulator",
"description": "Android emulator detected via system properties",
"confidence": 0.95,
"timestamp": "2026-03-02T15:20:33.847Z",
"metadata": {
"detectionMethod": "system_property_analysis",
"emulator_type": "goldfish",
"ro_kernel_qemu": "1",
"ro_hardware": "goldfish",
"build_fingerprint": "google/sdk_google_phone_x86/generic_x86:14/UPB1.231015.013",
"build_model": "sdk_google_phone_x86",
"api_level": 34,
"qemud_socket_found": true
}
}Desktop VM Detection:
JSON
{
"threatType": "vmware",
"description": "VMware hypervisor detected via system properties and device drivers",
"confidence": 0.92,
"timestamp": "2026-03-02T15:20:33.847Z",
"metadata": {
"detectionMethod": "dmi_and_driver_analysis",
"hypervisor_type": "VMware",
"dmi_manufacturer": "VMware, Inc.",
"dmi_product_name": "VMware Virtual Platform",
"driver_files": ["/sys/devices/virtual/dmi/id/"],
"platform": "Linux",
"cpu_hypervisor_flag_detected": true
}
}{
"threatType": "vmware",
"description": "VMware hypervisor detected via system properties and device drivers",
"confidence": 0.92,
"timestamp": "2026-03-02T15:20:33.847Z",
"metadata": {
"detectionMethod": "dmi_and_driver_analysis",
"hypervisor_type": "VMware",
"dmi_manufacturer": "VMware, Inc.",
"dmi_product_name": "VMware Virtual Platform",
"driver_files": ["/sys/devices/virtual/dmi/id/"],
"platform": "Linux",
"cpu_hypervisor_flag_detected": true
}
}