The article explains how the method works—it’s not so much traditional virtualization as it is a series of small, deceptive programs. The “host” app downloads a collection of fake apps and analyzes legitimate apps to closely mimic their behavior. When a user tries to open a real app, the host app intervenes: it closes the real app and launches a lookalike dummy app instead, using accessibility permissions.

To the user, it appears to be the legitimate app, but in reality, all input and data are being captured by the fake one. With accessibility access, the malicious app can monitor every tap, gesture, and keystroke. It can even track which apps are opened or detect when the lock screen appears—enabling it to build even more convincing fake versions of other apps and extract more personal information.

This is a prime example of why you should never install unofficial apps or grant permissions unless you’re absolutely certain the app is trustworthy—sometimes, not even then.

Hope that helps clarify things. It’s not totally accurate to all the details, but a general description to perhaps understand the process better.