Android App Penetration Testing & Frida Hooks

Defeating Anti-Frida: How to Bypass Root Detection When Frida is Detected

By Antigravity Research Published May 30, 2026 ⏱️ 6 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Cat and Mouse Game of App Security

Frida has revolutionized mobile application penetration testing, allowing dynamic instrumentation of running processes. However, as its adoption grew, so did the countermeasures. Modern Android applications often incorporate sophisticated anti-Frida and root detection mechanisms to thwart reverse engineering and tampering. This article delves into advanced techniques to bypass these detections, enabling successful security assessments even when applications are actively trying to identify and shut down your Frida hooks.

Understanding Anti-Frida and Root Detection Mechanisms

Before we can bypass detection, we must understand how it works. Applications employ various heuristics and checks:

Frida Detection Techniques:

  • Process Name/Module Scan: Checking for known Frida process names (e.g., `frida-server`) or loaded modules (e.g., `frida-agent.so`).
  • Port Scanning: Attempting to connect to Frida’s default listening port (27042).
  • File System Checks: Looking for Frida-related files or directories in common paths.
  • Memory Artifacts: Scanning memory for Frida-specific strings or patterns.
  • Function Hooking Detection: Monitoring critical system functions for signs of modification (e.g., `ptrace`, `mmap`, `dlopen`).
  • Debuggers/Emulators: Detecting if a debugger is attached (`android.os.Debug.isDebuggerConnected()`) or if the app is running on an emulator.

Root Detection Techniques:

  • Binary Checks: Looking for `su` binary in common paths like `/system/bin/`, `/system/xbin/`, `/sbin/`.
  • Package Checks: Detecting root management apps like Magisk Manager or SuperSU.
  • File Existence: Checking for known root-related files or directories (e.g., `/data/local/tmp`, `/system/app/Superuser.apk`).
  • Read/Write Permissions: Testing if sensitive system directories are writable.
  • Proprietary Checks: Magisk-specific detection using `magisk.img` or `riru.img` checks.

Initial Reconnaissance: Identifying the Detection Method

The first step is always to understand *what* is being detected. This typically involves:

  1. Logcat Analysis: Run `adb logcat` while launching the app with Frida attached. Look for error messages, `System.exit()` calls, or explicit detection messages.
  2. Decompilation and Static Analysis: Use tools like Jadx or Ghidra to decompile the APK. Search for keywords like “frida”, “root”, “su”, “debugger”, “exit”, “isDebuggerConnected”, “Runtime.exec”, “File.exists”, and “/sbin/magisk”. Identify the methods responsible for these checks.
  3. Basic Frida Hooking: Start with simple hooks to understand the app’s behavior. For instance, hooking `System.exit()` can reveal the call stack leading to termination.
Java.perform(function() {    var System = Java.use('java.lang.System');    System.exit.implementation = function(status) {        console.log('System.exit() called with status: ' + status);        Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).forEach(function(s) {            console.log(s);        });        // Don't call original exit, or call with custom status        // this.exit(status);    };});

Bypassing Frida Detection

1. Modifying Frida’s Footprint

Many basic anti-Frida checks look for `frida-server` or `frida-agent.so`. You can rename these or inject Frida in a stealthier way.

  • Renaming `frida-server`: Rename the binary on the device. Then use `adb push` and execute. This bypasses simple `ps | grep frida-server` checks.
  • Using `frida-inject` with PID: Instead of running `frida-server` directly, use `frida-inject` if the target process is already running. You might still need to rename the `frida-gadget.so` or inject it carefully.
# On your host machineadb push frida-server-16.1.4-android-arm64 /data/local/tmp/myserver# On the device (via adb shell)mv /data/local/tmp/myserver /data/local/tmp/myservchown root:shell /data/local/tmp/myservchmod 755 /data/local/tmp/myserv./data/local/tmp/myserv &

2. Hooking Detection Logic

This is often the most effective approach. Identify the specific API calls or methods the app uses for detection and hook them.

  • Bypassing `isDebuggerConnected()`:
Java.perform(function() {    var Debug = Java.use('android.os.Debug');    Debug.isDebuggerConnected.implementation = function() {        console.log('isDebuggerConnected() called, returning false');        return false;    };});
  • Bypassing `System.exit()`: As shown above, hook `System.exit()` to prevent the app from terminating.
  • Bypassing `Runtime.exec()` for `su` checks: If the app executes `su` to check for root, you can intercept this.
Java.perform(function() {    var Runtime = Java.use('java.lang.Runtime');    Runtime.exec.overload('java.lang.String').implementation = function(cmd) {        if (cmd.includes('su')) {            console.log('Intercepted Runtime.exec for: ' + cmd + ', returning dummy Process');            // Return a dummy Process object to prevent actual execution            // A more robust solution might require creating a mocked Process            return this.exec('ls'); // or any harmless command        }        return this.exec(cmd);    };});

3. Evading Memory Scan Detection (Advanced)

Some sophisticated anti-Frida measures scan process memory for known Frida strings or libraries. This is harder to bypass but can involve:

  • Patching `memfd_create` and `dlopen`: Frida uses `memfd_create` to load its agent into memory. By hooking `memfd_create` and `dlopen`, you might be able to modify how Frida’s agent is loaded or its associated metadata, making it harder to detect. This often requires native hooking (C/C++ based Frida scripts).
  • Frida Gadget Customization: Building a custom Frida gadget with modified signatures or even obfuscating the gadget itself.

Bypassing Root Detection (When Frida is Running)

Even if Frida is undetected, root detection can still be an issue. These techniques ensure the app believes it’s running on an unrooted device.

1. Hooking File.exists() and related checks

Many root checks involve looking for specific files (`/system/xbin/su`, `/data/adb/magisk`).

Java.perform(function() {    var File = Java.use('java.io.File');    File.exists.implementation = function() {        var path = this.getAbsolutePath();        if (path.includes('su') ||            path.includes('magisk') ||            path.includes('busybox') ||            path.includes('xposed')) {            console.log('Intercepted File.exists for: ' + path + ', returning false');            return false;        }        return this.exists();    };    // Also hook canRead, canWrite, isDirectory for similar checks    File.canRead.implementation = function() {        var path = this.getAbsolutePath();        if (path.includes('su') || path.includes('magisk')) {            console.log('Intercepted File.canRead for: ' + path + ', returning false');            return false;        }        return this.canRead();    };});

2. Bypassing Magisk Detection

Magisk hides root effectively, but apps can still detect its presence. Often, this involves checking for specific Magisk-related files or properties.

  • Hooking `getprop` or `System.getProperty()`: Magisk might set specific system properties.
Java.perform(function() {    var System = Java.use('java.lang.System');    System.getProperty.overload('java.lang.String').implementation = function(key) {        if (key.includes('ro.boot.flash.locked') || key.includes('ro.boot.verifiedbootstate')) {            console.log('Intercepted System.getProperty for: ' + key + ', returning non-root value');            return '1'; // or 'green' or other values indicating unrooted state        }        return this.getProperty(key);    };});

3. Native Bypasses (JNI Hooks)

Some applications implement root checks in native libraries (C/C++). This requires using Frida’s `Module.findExportByName` and `Interceptor.attach` to hook native functions.

Interceptor.attach(Module.findExportByName('libc.so', 'access'), {    onEnter: function(args) {        this.path = Memory.readUtf8String(args[0]);    },    onLeave: function(retval) {        if (this.path.includes('su') || this.path.includes('magisk')) {            console.log('Intercepted native access() for: ' + this.path + ', returning -1 (ENOENT)');            retval.replace(ptr(-1));            // Set errno to indicate

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Frida #Penetration Testing #Reverse Engineering #Root Detection Bypass

Related Technical Guides

Frida SSL Pinning Bypass Not Working? Common Issues & Troubleshooting Guide

May 30, 2026

Practical Android NDK Reversing: Frida Hooks for JNI_OnLoad and Function Overloads

May 30, 2026

Android RE Lab: From APK to Source – Decompiling & Analyzing Apps with Jadx & Ghidra

May 29, 2026