From b2ee373de64d11c2a5c07fa98da4d8b1a6113a9f Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 10 Feb 2026 02:55:19 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/mobile-pentesting/android-app-... --- .../frida-tutorial/frida-tutorial-1.md | 44 ++++++++++++++++++- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md index 78971dcec1b..5420a622b99 100644 --- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md +++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md @@ -127,14 +127,54 @@ Java.perform(function () { }) ``` +## Hooking on recent Android versions (14/15/16) + +- From **Frida 17.1.x+** Java hooking on Android 14–16 is stable again (ART quick entrypoint offsets were fixed). If `Java.choose` returns nothing on Android 14+, upgrade **frida-server/gadget** and the **CLI/Python** packages to >=17.1.5. +- Apps with early anti-debug checks often die before `attach`. Use **spawn** so hooks load before `onCreate`: + +```bash +frida -U -f infosecadventures.fridademo -l hook1.js --no-pause +``` + +- When multiple overloads exist, select the target explicitly: + +```javascript +var Cls = Java.use("com.example.Class") +Cls.doThing.overload('java.lang.String', 'int').implementation = function(s, i) { + return this.doThing(s, i) +} +``` + +## Stealthier injection with Zygisk Gadget + +Some apps detect **ptrace** or `frida-server`. Magisk/Zygisk modules can load **frida-gadget** inside Zygote so no process is ptraced: + +1. Install a Zygisk gadget module (e.g., `zygisk-gadget`) and reboot. +2. Configure the target package and an optional delay to bypass startup checks: + +```bash +adb shell "su -c 'echo infosecadventures.fridademo,5000 > /data/local/tmp/re.zyg.fri/target_packages'" +``` + +3. Launch the app and attach to the gadget name: + +```bash +frida -U -n Gadget -l hook3.js +``` + +Because the gadget is injected by Zygote, APK integrity checks stay untouched and basic ptrace/Frida string checks usually fail. + ## Important -In this tutorial you have hooked methods using the name of the mathod and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**. +In this tutorial you have hooked methods using the name of the method and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**. You can see that in [the next tutorial](frida-tutorial-2.md). -{{#include ../../../banners/hacktricks-training.md}} +## References +- [Frida News (Android 14–16 fixes & Frida 17.x releases)](https://frida.re/news/) +- [zygisk-gadget – Zygisk module that loads frida-gadget](https://github.com/hackcatml/zygisk-gadget) +{{#include ../../../banners/hacktricks-training.md}}