Natanael

Sandboxing is a general term and I used it as a general one. Sandboxing can include virtualization.

Virtualization alone isn’t enough if the external interfaces aren’t protected. With QubesOS you are for example expected to not mix data from untrusted sources with data from trusted sources in the same virtualized environment. You’re expected to use the right tools to open untrusted documents;

https://theinvisiblethings.blogspot.com/2013/02/converting-untrusted-pdfs-into-trusted.html?m=1

That’s still standard virtualization. It doesn’t harden the applications you run inside the sandboxes.

IR transmitters

Miracast (in base open source Android, especially access to the ability to receive)

Scrolling notification text in the notification bar (seriously, that was sooooo much better than the obnoxious new default pop-up notifications)

A bunch of permissions that’s been too locked down (stuff used by Tasker, networking tools, etc)

If you’ve already noticed incoming traffic is weird, you try to look for what distinguishes the sources you don’t want. You write rules looking at the behaviors like user agent, order of requests, IP ranges, etc, and put it in your web server and tells it to check if the incoming request matches the rules as a session starts.

Unless you’re a high value target for them, they won’t put endless resources into making their systems mimic regular clients. They might keep changing IP ranges, but that usually happens ~weekly and you can just check the logs and ban new ranges within minutes. Changing client behavior to blend in is harder at scale - bots simply won’t look for the same things as humans in the same ways, they’re too consistent, even when they try to be random they’re too consistently random.

When enough rules match, you throw in either a redirect or an internal URL rewrite rule for that session to point them to something different.

The trick is distinguishing them by behavior and switching what you serve them