Skip to content

Research Update Enhanced src/mobile-pentesting/android-app-p... #1877

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
carlospolop merged 1 commit into from
Feb 10, 2026
Merged

Research Update Enhanced src/mobile-pentesting/android-app-p... #1877

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 42 additions & 2 deletions src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,14 +127,54 @@ Java.perform(function () {
})
```

## Hooking on recent Android versions (14/15/16)

- From **Frida 17.1.x+** Java hooking on Android 14–16 is stable again (ART quick entrypoint offsets were fixed). If `Java.choose` returns nothing on Android 14+, upgrade **frida-server/gadget** and the **CLI/Python** packages to >=17.1.5.
- Apps with early anti-debug checks often die before `attach`. Use **spawn** so hooks load before `onCreate`:

```bash
frida -U -f infosecadventures.fridademo -l hook1.js --no-pause
```

- When multiple overloads exist, select the target explicitly:

```javascript
var Cls = Java.use("com.example.Class")
Cls.doThing.overload('java.lang.String', 'int').implementation = function(s, i) {
return this.doThing(s, i)
}
```

## Stealthier injection with Zygisk Gadget

Some apps detect **ptrace** or `frida-server`. Magisk/Zygisk modules can load **frida-gadget** inside Zygote so no process is ptraced:

1. Install a Zygisk gadget module (e.g., `zygisk-gadget`) and reboot.
2. Configure the target package and an optional delay to bypass startup checks:

```bash
adb shell "su -c 'echo infosecadventures.fridademo,5000 > /data/local/tmp/re.zyg.fri/target_packages'"
```

3. Launch the app and attach to the gadget name:

```bash
frida -U -n Gadget -l hook3.js
```

Because the gadget is injected by Zygote, APK integrity checks stay untouched and basic ptrace/Frida string checks usually fail.

## Important

In this tutorial you have hooked methods using the name of the mathod and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**.
In this tutorial you have hooked methods using the name of the method and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**.

You can see that in [the next tutorial](frida-tutorial-2.md).


{{#include ../../../banners/hacktricks-training.md}}


## References

- [Frida News (Android 14–16 fixes & Frida 17.x releases)](https://frida.re/news/)
- [zygisk-gadget – Zygisk module that loads frida-gadget](https://github.com/hackcatml/zygisk-gadget)
{{#include ../../../banners/hacktricks-training.md}}