Android App Penetration Testing & Frida Hooks

Frida Gadget Injection on Non-Rooted Android: A Step-by-Step APK Repackaging Guide

By Antigravity Research Published May 29, 2026 ⏱️ 4 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Frida Gadget and Non-Rooted Android Penetration Testing

Frida is an exceptional dynamic instrumentation toolkit that allows security researchers and developers to inject custom scripts into running processes. While Frida’s standard client-server model thrives on rooted Android devices where the Frida server can be deployed system-wide, the reality of penetration testing often involves non-rooted target devices or environments where root access is not permissible or easily obtained. This is where Frida Gadget becomes an invaluable asset.

Frida Gadget is a pre-compiled shared library (.so file) that can be embedded directly into an Android application (APK). When the application loads, it initializes the embedded Frida Gadget, allowing it to act as a self-contained Frida server within the application’s process. This guide provides a detailed, step-by-step tutorial on how to repackage an existing Android APK to inject Frida Gadget, enabling dynamic instrumentation on non-rooted devices without modifying the target device’s operating system.

Prerequisites

Before we begin, ensure you have the following tools installed and configured on your workstation:

  • Java Development Kit (JDK): Required for keytool, jarsigner, and zipalign (often included with Android SDK Build-Tools).
  • Android SDK Build-Tools: Specifically for zipalign. Ensure it’s in your PATH.
  • APKTool: For decompiling and recompiling APKs. Download from their official GitHub.
  • Frida CLI Tools: frida-tools (pip install frida-tools) for interacting with the gadget.
  • Frida Gadget: Download the appropriate frida-gadget.so for your target application’s architecture (e.g., armeabi-v7a, arm64-v8a) from Frida’s releases page.
  • A Target APK: The Android application you wish to modify.

Ensure all necessary tools are accessible via your system’s PATH variable for seamless command execution.

Step 1: Decompiling the APK

The first step involves decompiling the target APK using APKTool. This will extract its resources, manifest, and Smali code into a human-readable directory structure.

apktool d target_app.apk -o target_app_repacked

This command will create a new directory named target_app_repacked containing all the decompiled components. Navigate into this directory to inspect its contents. Key directories include smali (containing the bytecode), lib (native libraries), and res (resources).

Step 2: Integrating Frida Gadget into the APK

Now, we’ll embed the Frida Gadget and ensure it gets loaded by the application.

2.1 Place the Frida Gadget Library

Identify the architecture of the target application. You can usually infer this by inspecting the lib directory inside the decompiled APK. For example, if you see lib/armeabi-v7a, you need the frida-gadget.so for armeabi-v7a. Create the necessary architecture directory if it doesn’t exist.

# Example for armeabi-v7a architecturecd target_app_repackedmkdir -p lib/armeabi-v7acp /path/to/frida-gadget-16.x.x-android-armeabi-v7a.so lib/armeabi-v7a/frida-gadget.so

Rename the copied file to simply frida-gadget.so for easier reference.

2.2 Modify Smali Code to Load the Gadget

We need to instruct the application to load our newly injected library. The most reliable place to do this is often within the application’s main entry point, such as the Application class’s onCreate() method or the main activity’s onCreate() method.

First, identify the application’s entry point. Look for the <application> tag in AndroidManifest.xml. If a android:name attribute is present, it specifies the custom Application class (e.g., Lcom/example/MyApplication;). If not, we’ll target the main activity.

Let’s assume the Application class is com.example.targetapp.MyApplication. Navigate to its Smali file:

cd smali/com/example/targetapp/open MyApplication.smali

Locate the .method public onCreate()V method. If it doesn’t exist, create it (carefully following Smali syntax). Insert the following Smali code right after the invoke-super call (or at the beginning if no super call is present):

    .method public onCreate()V        .locals 0        .prologue        invoke-super {p0}, Landroid/app/Application;->onCreate()V        const-string v0,

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android #APK Repackaging #Frida #Penetration Testing #Reverse Engineering

Related Technical Guides

Reverse Engineering Android Services: Unveiling Hidden IPC with Frida Hooks

May 29, 2026

Reverse Engineering Android Crypto: Identifying & Hooking Key Derivation Functions (KDFs) with Frida

May 29, 2026

Frida for Android Crypto: Hooking AES/RSA & Extracting Keys – A Practical Guide

May 29, 2026