Introduction to Frida Gadget for Android Reverse Engineering

Frida is an indispensable toolkit for dynamic instrumentation, allowing reverse engineers to inject their own scripts into black-box processes. While the typical usage involves a host machine running the Frida client connecting to a Frida server on the target device, Frida Gadget offers a more stealthy and embedded approach. Frida Gadget is a shared library (`.so` file) that you embed directly into an Android application (APK). When the application loads the library, Frida Gadget initializes, allowing you to execute JavaScript on application startup or connect to it remotely. This article delves into advanced techniques for embedding, configuring, and utilizing Frida Gadget to overcome common anti-tampering measures and achieve deeper insights into Android applications.

Setting Up Advanced Gadget Embedding

The standard method of embedding Frida Gadget involves placing the `frida-gadget.so` file into the `lib/[ARCH]/` directory of an APK. However, for advanced scenarios, especially when dealing with anti-Frida detections or early instrumentation requirements, precise control over library loading is crucial.

1. Acquiring and Preparing Frida Gadget

First, download the correct Frida Gadget release for your target Android architecture (e.g., `armeabi-v7a`, `arm64-v8a`, `x86`, `x86_64`) from the Frida releases page. Rename it for stealth if necessary.

wget https://github.com/frida/frida/releases/download/[FRIDA_VERSION]/frida-gadget-[FRIDA_VERSION]-android-[ARCH].so.xz
unxz frida-gadget-[FRIDA_VERSION]-android-[ARCH].so.xz
mv frida-gadget-[FRIDA_VERSION]-android-[ARCH].so libmycustom.so

2. Decompiling and Recompiling the APK

Use `apktool` to decompile the target APK:

apktool d target.apk -o target_mod

Navigate to `target_mod/lib/` and create subdirectories for your target architectures, then copy your renamed Gadget:

mkdir -p target_mod/lib/arm64-v8a
cp libmycustom.so target_mod/lib/arm64-v8a/

Now, modify `target_mod/AndroidManifest.xml` to ensure your library is loaded early. If `android:extractNativeLibs=”false”` is present, native libraries are loaded directly from the APK, which can make early injection harder without root. For broader compatibility, you often want `android:extractNativeLibs=”true”` (or absent, as it defaults to true) so libraries are extracted to `/data/app/…/lib/`.

Identify the main application class. You can find this in `AndroidManifest.xml` within the “ tag, usually via `android:name`. For example, `com.example.app.MainApplication`. If it’s not explicitly defined, it defaults to `android.app.Application`. Create or modify an `Application` class if necessary to load your library as early as possible.

// In target_mod/smali/[path]/MainApplication.smali (or create one)
.method static constructor <clinit>()
    .locals 0
    .line 123
    const-string v0, "mycustom"
    invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
    return-void
.end method

This static initializer ensures `libmycustom.so` (your Frida Gadget) is loaded when the `MainApplication` class is first accessed, which typically happens very early in the application lifecycle.

Recompile, sign, and zipalign the APK:

apktool b target_mod -o target_modified.apk
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore debug.keystore target_modified.apk androiddebugkey
zipalign -v 4 target_modified.apk final_app.apk

Advanced Gadget Configuration with `frida-gadget.config`

Frida Gadget’s behavior is controlled by a configuration file, typically named `frida-gadget.config`, placed alongside the `.so` file. This file offers powerful options for controlling Gadget’s operational mode.

1. Listen Mode with Early Script Execution

This mode allows Gadget to listen for remote connections and execute a script *before* the remote client connects. This is crucial for hooking very early events.

// target_mod/lib/arm64-v8a/frida-gadget.config
{
  "interaction": {
    "type": "listen",
    "address": "0.0.0.0",
    "port": 27042,
    "on_change": "reload"
  },
  "scripts": [
    {
      "path": "early-hook.js",
      "on_change": "reload"
    }
  ]
}

Place `early-hook.js` in the same directory. This setup allows you to remotely connect to Gadget on port 27042 (using `frida -H 127.0.0.1:27042 -f com.example.app –no-pause`) while also executing `early-hook.js` upon Gadget’s initialization. The `on_change` properties enable hot-reloading of the script and configuration, useful during development.

2. Embedded Script Mode

For maximum stealth and self-sufficiency, you can embed the entire Frida script directly within `frida-gadget.config`:

// target_mod/lib/arm64-v8a/frida-gadget.config

{

  "interaction": {

    "type": "script"

  },

  "scripts": [

    {

      "url": "file://./script.js" // or "data:application/javascript;base64,BASE64_ENCODED_SCRIPT"

    },

    {

      "name": "embeddedScript",

      "source": "Interceptor.attach(Module.findExportByName(null, 'open'), {n  onEnter: function(args) {n    console.log('open(

        
        
        

            

                
            
            

                
Android Mobile Specs & Compare Directory
                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!
                Compare Devices Specs →