APK Analysis with Frida

What is Frida?

Frida is a powerful dynamic instrumentation toolkit that allows you to inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. It's particularly useful for:

Runtime analysis of mobile applications
Function hooking and method interception
Memory manipulation and data extraction
Bypassing security controls during penetration testing
Real-time debugging of running processes

Installing Frida

Step 1: Install Frida Tools

Install Frida on your host machine using pip:

pip install frida-tools

Step 2: Verify Installation

Test that Frida is properly installed:

frida --version

Step 3: Check Device Architecture

Before downloading the Frida server, check your Android device's architecture:

adb shell getprop ro.product.cpu.abi

Common architectures:

arm64-v8a - Modern 64-bit ARM devices
armeabi-v7a - Older 32-bit ARM devices
x86_64 - Intel-based emulators
x86 - Older Intel emulators

Step 4: Download Frida Server

Download the appropriate Frida server binary from the official releases page (opens in a new tab) that matches your device architecture and Frida version.

Setting Up Frida for APK Analysis

Prerequisites

Android device with USB debugging enabled
ADB (Android Debug Bridge) installed
Root access on your Android device (for most advanced features)
Target APK installed on the device

Step-by-Step Process

1. Connect Your Android Device

Connect your Android device via USB and ensure USB debugging is enabled in Developer Options.

2. Push and Start Frida Server

Upload the Frida server to your device and start it:

# Push frida-server to device
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
 
# Start frida-server as root
adb shell
su
/data/local/tmp/frida-server &

3. List Running Processes

Find your target application among running processes:

frida-ps -U

This will show all running processes with their Process IDs (PIDs) and names.

4. Attach to Target Application

You can attach to an app using either its process name or PID:

# Using process name
frida -U -n <app_package_name>
 
# Using process ID
frida -U -p <process_id>

5. Spawn and Attach to Application

To start an app and immediately attach Frida:

frida -U -f <app_package_name> --no-pause

6. Load Custom Scripts

Inject your JavaScript hooking scripts:

frida -U -l your_script.js -n <app_package_name>

Example: Hooking Java Methods

Here's a practical example of hooking a Java method to extract flags from an Android application:

JavaScript Hook Script Example (From bbctf)

Java.perform(() => {
    const TargetClass = Java.use("definitely.notvulnerable.spawn.flag");
 
    TargetClass.getFlag.implementation = function () {
        const result = this.getFlag();
        return result;
    };
 
    Java.scheduleOnMainThread(() => {
        try {
            const activity = TargetClass.$new(); // create a new instance
            const flag = activity.getFlag();     // call the native method
            console.log("FLAG via manual call:", flag);
        } catch (e) {
            console.log("Error calling getFlag manually:", e);
        }
    });
});

Expected Output

When you run this script with Frida, you should see output similar to:

PS C:\Users\w_11\Downloads\MOBILE\spawning_an_export> frida -U -p 6094 -l hook.js
     ____
    / _  |   Frida 17.2.16 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Attaching...
FLAG via manual call: bbctf{in$ECuRe_EXPORtED_aCt!vI71es}

Common Frida Commands

Command	Description
`frida-ps -U`	List running processes on USB device
`frida-ps -Ua`	List all applications on USB device
`frida -U -f <package> --no-pause`	Spawn and attach to app
`frida -U -n <package>`	Attach to running app by name
`frida -U -p <pid>`	Attach to running app by PID
`frida -U -l script.js <package>`	Load script into app

Tips for Effective APK Analysis

Always use rooted devices for full Frida functionality
Start with process enumeration to understand the app structure
Use logcat alongside Frida for comprehensive monitoring
Test scripts incrementally to avoid crashes
Keep backups of original APK files before modification

Analysis of Malware APK ARM Malaysia On-Demand Training