Android App Penetration Testing & Frida Hooks

Frida Setup Masterclass: Your Ultimate Guide to Running Frida on Rooted Android Devices

By Antigravity Research Published May 29, 2026 ⏱️ 5 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Frida for Android Penetration Testing

Frida is a powerful, dynamic instrumentation toolkit that allows developers and security researchers to inject JavaScript or custom native code into running processes on various platforms, including Android. For Android application penetration testing, Frida is indispensable. It enables runtime manipulation, API monitoring, bypassing security controls, and understanding application behavior without needing to decompile, modify, and recompile the APK. This guide will walk you through the comprehensive process of setting up Frida on a rooted Android device, transforming it into a formidable tool for your app security assessments.

Prerequisites for Frida Setup

Before diving into the setup, ensure you have the following prerequisites in place:

  • A Rooted Android Device: Frida requires root privileges to operate effectively on Android. Ensure your device is properly rooted (e.g., with Magisk).
  • ADB (Android Debug Bridge) Installed: ADB is crucial for communicating with your Android device from your host machine. Verify it’s installed and configured correctly by running adb devices.
  • Python 3 and pip: Frida’s command-line tools (frida-tools) are Python packages. You’ll need Python 3 and its package installer, pip, on your host machine.
  • Internet Connection: To download necessary files.

Step 1: Preparing Your Host Machine

Your host machine (your computer) will run the Frida client tools and send commands to the Frida server running on your Android device.

1.1 Install Python 3 and pip

If you don’t have Python 3, download it from the official Python website. Pip usually comes bundled with Python 3. Verify their installation:

python3 --versionpip3 --version

1.2 Install Frida-tools

Frida-tools provides command-line utilities like frida-ps, frida-trace, and the frida client itself. Install them using pip:

pip3 install frida-tools

After installation, verify it by checking the version:

frida --version

1.3 Verify ADB Setup

Ensure your Android device is connected to your host machine via USB debugging and that ADB recognizes it:

adb devices

You should see your device listed, similar to:List of devices attachedABCDEF123456 device

Step 2: Identifying Your Android Device’s Architecture

Frida server binaries are architecture-specific. You need to download the correct one for your Android device. Connect your device and use ADB to find its CPU architecture:

adb shell getprop ro.product.cpu.abi

Common architectures include:

  • arm64-v8a (for 64-bit ARM devices, most modern Android phones)
  • armeabi-v7a (for 32-bit ARM devices)
  • x86_64 (for 64-bit Intel/AMD emulators)
  • x86 (for 32-bit Intel/AMD emulators)

Make a note of this architecture.

Step 3: Downloading the Correct Frida Server

Navigate to Frida’s GitHub releases page: https://github.com/frida/frida/releases

Find the latest stable release. Look for the file named frida-server-<version>-android-<architecture>.xz. For example, if your device is arm64-v8a and the latest version is 16.1.4, you’d download frida-server-16.1.4-android-arm64.xz.

Download the compressed file and then decompress it. On Linux/macOS, you can use xz -d:

xz -d frida-server-<version>-android-<architecture>.xz

This will result in a file named frida-server-<version>-android-<architecture>. Rename it to something simpler, like frida-server, for convenience:

mv frida-server-<version>-android-<architecture> frida-server

Step 4: Pushing Frida Server to Your Android Device

Now, transfer the frida-server binary to a writable location on your Android device. A common and recommended location is /data/local/tmp/, which is typically world-writable and executable.

adb push /path/to/your/frida-server /data/local/tmp/

Replace `/path/to/your/frida-server` with the actual path to the downloaded and renamed `frida-server` file on your host machine.

Step 5: Setting Permissions and Executing Frida Server

Once the server is on the device, you need to make it executable and then run it. Access the device’s shell:

adb shell

Navigate to the directory where you pushed the server:

cd /data/local/tmp/

Set execute permissions for the binary:

chmod 755 frida-server

Finally, execute the Frida server. It’s best to run it in the background using `&` or `nohup` so it continues to run even if your ADB shell session disconnects.

./frida-server &

If you’re using `nohup` (recommended for persistence):

nohup ./frida-server &

You should see a process ID printed. If there are no errors, the server is running.

Step 6: Verifying Frida Server Status

From your host machine, you can verify that the Frida server is running and accessible by listing the processes on your Android device using Frida’s client tools:

frida-ps -U

The -U flag tells Frida to connect to a USB device. If successful, you’ll see a list of running processes on your Android device, indicating that Frida is communicating correctly.

Step 7: Basic Frida Client Usage

With Frida server running, you can now start interacting with applications. Here are a couple of basic examples:

7.1 Listing All Applications with Details

frida-ps -Uai

This command lists all installed applications along with their package names, which are crucial for targeting specific apps.

7.2 Attaching to a Running Process

To attach to an already running application (e.g., ‘com.android.settings’):

frida -U com.android.settings

This will open a Frida console where you can interactively inject JavaScript. Type %load my_script.js to load a script or directly enter JavaScript code.

7.3 Spawning a New Process and Injecting a Script

If you want to inject into an app from its launch, use the -f flag to specify the package name and --no-pause to let it run immediately:

frida -U -f com.example.app --no-pause -l /path/to/your/script.js

Here, `/path/to/your/script.js` would contain your Frida script logic. For instance, a simple script to hook a method might look like this:

// my_script.jsJava.perform(function () {  var Activity = Java.use('android.app.Activity');  Activity.onResume.implementation = function () {    send('onResume called for: ' + this.getClass().getName());    this.onResume();  };  send('Frida script loaded!');});

This script hooks the `onResume` method of any `Activity` and prints a message when it’s called.

Troubleshooting Common Issues


  • Android Mobile Specs & Compare Directory

    Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

    Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #App Hacking #Frida #Penetration Testing #Rooted Android

Related Technical Guides

Mastering Frida: Programmatically Listing Android’s Live Classes and Their Methods

May 30, 2026

Beyond Basic Hooks: Dynamic Instrumentation with Objection for Stealthy Root Evasion

May 29, 2026

Frida RPC Unleashed: Intercepting & Manipulating Android IPC Step-by-Step

May 29, 2026