Android Software Reverse Engineering & Decompilation

From Zero to Hero: Setting Up Frida-Gadget for ART Runtime Analysis on Any Android Device

By Antigravity Research Published May 30, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to ART and Dynamic Instrumentation

The Android Runtime (ART) is the managed runtime used by Android and is responsible for executing application code. Unlike its predecessor Dalvik, ART uses Ahead-Of-Time (AOT) compilation, which compiles applications into machine code upon installation, or at runtime using Just-In-Time (JIT) compilation, leading to faster app execution and improved battery life. While this offers performance benefits, it also presents unique challenges for dynamic analysis and instrumentation, as the code is no longer directly in Dalvik bytecode form.

Dynamic instrumentation frameworks like Frida are indispensable tools for security researchers, reverse engineers, and developers. Frida allows you to inject custom JavaScript or C/C++ code into processes, hook functions, inspect memory, and modify behavior at runtime. While Frida Server is commonly used for root-enabled devices, Frida-Gadget offers a powerful alternative: injecting the instrumentation library directly into an application package (APK), making it possible to analyze apps on non-rooted devices or in scenarios where root access isn’t feasible or desired.

Why Frida-Gadget for ART Analysis?

Frida-Gadget essentially embeds a stripped-down Frida server into a target application. When the application starts, the gadget loads, initializes Frida, and waits for a client connection. This approach has several advantages:

  • Non-Rooted Devices: Analyze apps without requiring root privileges on the device.
  • Targeted Instrumentation: Only the specific application is instrumented, reducing system overhead.
  • Stealth: Can be harder to detect than a system-wide Frida server if integrated carefully.
  • Complex Scenarios: Useful for analyzing apps that detect and refuse to run on rooted environments.

This tutorial will guide you through the process of patching an Android application to embed Frida-Gadget, enabling robust ART runtime analysis on virtually any Android device.

Prerequisites and Tools

Before we begin, ensure you have the following tools set up:

  • Android Device or Emulator: With USB debugging enabled.
  • Android SDK Platform Tools: For adb (Android Debug Bridge).
  • Java Development Kit (JDK): Required for apksigner/jarsigner and apktool.
  • apktool: For decompiling and recompiling APKs. Download from Apktool’s official site.
  • apksigner/jarsigner: To sign the modified APK. apksigner is part of Android SDK build-tools; jarsigner is part of JDK.
  • Python and frida-tools: For the Frida client. Install via pip install frida-tools.

Identifying Your Target Application’s Architecture

Frida-Gadget is a native library, meaning you need the correct version for your target device’s CPU architecture. You can determine this in a few ways:

  1. From the Device: Connect your device and run: 
    adb shell getprop ro.product.cpu.abi

    Common outputs include arm64-v8a, armeabi-v7a, x86, or x86_64.

  2. From the APK: Decompile the APK using apktool d myapp.apk and check the lib directory. For example, myapp/lib/arm64-v8a/ indicates an ARM 64-bit architecture.

Step-by-Step Frida-Gadget Injection

1. Obtain Frida-Gadget

Download the appropriate frida-gadget.so for your target architecture from the Frida releases page. Look for files named frida-gadget-*.so (e.g., frida-gadget-16.1.4-android-arm64.so.xz). Extract the .so file from the archive.

2. Decompile the Target APK

Use apktool to decompile the APK you wish to instrument. Replace target.apk with your application’s filename.

apktool d target.apk -o target_app_patched

This will create a directory named target_app_patched containing the decompiled resources and Smali code.

3. Inject Frida-Gadget into the APK Structure

Navigate into the decompiled directory. You need to place frida-gadget.so in the correct architecture-specific library folder. If the folder doesn’t exist, create it.

  1. Create or Identify Lib Folder: For example, if your target is arm64-v8a, the path would be target_app_patched/lib/arm64-v8a/.
  2. Copy Gadget: Copy the downloaded frida-gadget.so into this folder. 
    cp /path/to/frida-gadget.so target_app_patched/lib/arm64-v8a/

4. Modify Smali Code to Load the Gadget

Now, we need to instruct the application to load frida-gadget.so early in its lifecycle. A good place is usually the application’s main entry point, like the Application class’s onCreate method or the main Activity‘s onCreate method.

  1. Locate Application/Activity Class:

    First, find the application’s main class or an early loading activity. Look in target_app_patched/AndroidManifest.xml for the <application> tag’s android:name attribute or the main <activity> tag. For instance, if android:name="com.example.MyApp", you’d look for com/example/MyApp.smali.

    grep -r 'android:name="com.example.MyApp"' target_app_patched/AndroidManifest.xml

    Or for the main activity:

    grep -r 'android.intent.action.MAIN' target_app_patched/AndroidManifest.xml
  2. Inject System.loadLibrary():

    Open the corresponding .smali file (e.g., target_app_patched/smali/com/example/MyApp.smali). Locate the .method public onCreate()V method. Inside this method, *before* the call to the superclass’s onCreate (invoke-super {p0}, Landroid/app/Application;->onCreate()V or similar), add the following Smali instruction to load the library:

    .method public onCreate()V
    .locals 0

    # ADD THIS LINE TO LOAD FRIDA-GADGET
    const-string v0, "frida-gadget"
    invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

    invoke-super {p0}, Landroid/app/Application;->onCreate()V

    return-void
.end method

    The important part is const-string v0, "frida-gadget" followed by invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V. This ensures the gadget is loaded as early as possible.

    Note on timing: If loading too early causes crashes, try moving it slightly later, but generally, early loading is best for maximum instrumentation coverage. Sometimes, injecting into an obscure static initializer or another early-executing method might be necessary if onCreate doesn’t work.

5. Recompile the APK

Once the modifications are made, recompile the APK:

apktool b target_app_patched -o patched_target.apk

6. Sign the New APK

Modified APKs must be signed to be installable on an Android device. You can use apksigner (recommended for Android 7.0+) or jarsigner.

Using apksigner (Recommended)

First, generate a keystore if you don’t have one:

keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

Then, sign the APK:

apksigner sign --ks my-release-key.jks --ks-key-alias my-alias patched_target.apk

Using jarsigner (Older Android Versions)

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.jks patched_target.apk my-alias

After signing, you might need to run zipalign for optimal performance, though it’s not strictly necessary for functionality.

zipalign -v 4 patched_target.apk final_signed_patched_target.apk

7. Uninstall Original and Install Patched APK

Uninstall the original application (if installed) and then install your newly signed and patched APK.

adb uninstall com.example.targetapp # Replace with actual package name
adb install final_signed_patched_target.apk

Connecting and Instrumenting with Frida

Once the patched app is installed, launch it on your device. Frida-Gadget, by default, listens on port 27042. You’ll need to forward this port from your device to your host machine.

adb forward tcp:27042 tcp:27042

Now, you can connect to the gadget using the Frida client on your host machine:

frida-ps -H 127.0.0.1:27042

This should list the process of your target application. To attach and start scripting:

frida -H 127.0.0.1:27042 -n com.example.targetapp -l my_script.js

Where com.example.targetapp is the package name of your application, and my_script.js is your Frida JavaScript payload.

Basic Frida Script Example for ART Runtime Analysis

Let’s create a simple my_script.js to hook a Java method and observe its arguments and return value.

Java.perform(function() {
    console.log("Frida-Gadget hooked into ART process!");

    // Replace with the actual package and class name of interest
    var TargetClass = Java.use("com.example.targetapp.SomeImportantClass");

    // Hook a method, e.g., 'doSomething(Ljava/lang/String;I)Ljava/lang/String;'
    TargetClass.doSomething.overload('java.lang.String', 'int').implementation = function(arg1, arg2) {
        console.log("----------------------------------------");
        console.log("[+] Method com.example.targetapp.SomeImportantClass.doSomething() called!");
        console.log("  [+] Arg 1 (String): " + arg1);
        console.log("  [+] Arg 2 (int): " + arg2);

        // Call the original method
        var retval = this.doSomething(arg1, arg2);
        console.log("  [+] Return value: " + retval);
        console.log("----------------------------------------");

        // You can modify the return value here if needed
        return retval;
    };

    console.log("Hook for SomeImportantClass.doSomething() applied!");
});

This script uses Java.perform to ensure the code runs within the context of the ART runtime. It then locates a specific class and hooks an overloaded method, logging its arguments and return value. This is a foundational example; Frida’s API allows for much more complex manipulation, including instantiating new objects, calling arbitrary methods, and inspecting memory.

Troubleshooting Common Issues

  • App Crashes on Startup:
    1. Incorrect Architecture: Ensure frida-gadget.so matches the device’s CPU architecture.
    2. Smali Injection Point: Loading the gadget too early might interfere with critical system initializations. Try injecting into a different, slightly later-executing method or activity’s onCreate.
    3. Missing Permissions: Check AndroidManifest.xml for any missing permissions that the app might require after recompilation.
  • Frida Client Can’t Connect:
    1. Port Forwarding: Verify adb forward tcp:27042 tcp:27042 is active and correct.
    2. App Running: Ensure the patched application is actively running on the device.
    3. Frida-Gadget Version: Mismatch between Frida client and gadget version can cause issues. Use compatible versions.
  • Smali Errors During Recompilation:
    1. Syntax Errors: Double-check your Smali injection for typos or incorrect syntax.
    2. Register Conflicts: Ensure you’re using an available register (v0, v1, etc.) if adding more complex Smali.

Conclusion

Injecting Frida-Gadget into Android applications provides a robust and flexible method for performing deep ART runtime analysis, especially useful in environments where root access is not available or desired. By carefully patching an APK, you gain unparalleled control over an application’s execution flow, enabling advanced reverse engineering, security auditing, and behavioral analysis. With the steps outlined in this guide, you’re now equipped to move from a beginner’s understanding to actively instrumenting and dissecting Android applications at an expert level.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reverse Engineering #APK Patching #ART Runtime #Dynamic Analysis #Frida

Related Technical Guides

Bypassing Android Signature Verification: A Manifest-Level Approach for Code Injection

May 29, 2026

How to Dump Android RAM: A Step-by-Step Guide for Sensitive Data Extraction

May 29, 2026

Android Anti-Emulator Bypass Guide: Defeating Virtual Environment Detection in Malware and Protected Apps

May 29, 2026