Android App Penetration Testing & Frida Hooks

Mastering Frida Gadget Persistence on Non-Rooted Devices: Advanced APK Modding

By Antigravity Research Published May 29, 2026 ⏱️ 4 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Challenge of Frida on Non-Rooted Devices

Frida is an indispensable toolkit for dynamic instrumentation, allowing security researchers and developers to inject custom scripts into running processes. While using `frida-server` on rooted Android devices is straightforward, performing dynamic analysis on non-rooted devices presents a significant hurdle. Many target applications run on production devices where rooting is not feasible or desirable, either due to security policies, detection mechanisms, or the sheer inconvenience. This is where Frida Gadget comes into play, offering a powerful solution for achieving persistent code injection without requiring root access.

Frida Gadget is a standalone library that can be loaded into an application’s process. Unlike `frida-server`, which listens for connections from a remote client, Frida Gadget can be configured to start instrumentation automatically or to listen for connections itself. This tutorial will guide you through the advanced process of embedding a custom Frida Gadget into an Android application (APK), enabling persistent hooking capabilities on non-rooted devices through strategic APK modification.

Why Frida Gadget for Non-Rooted Environments?

On a rooted Android device, `frida-server` runs as a privileged daemon, allowing it to attach to any process. On a non-rooted device, an unprivileged application cannot attach to another arbitrary process due to Android’s stringent security model (SELinux, user isolation). Frida Gadget circumvents this limitation by becoming an integral part of the target application’s process itself. Once injected, it operates within the application’s own permissions and context, making it an ideal choice for black-box testing where root access is unavailable or undesirable.

Advantages of Frida Gadget:

  • No Root Required: Operates entirely within the target application’s process.
  • Persistence: Once embedded, the gadget loads automatically whenever the application starts.
  • Stealth: Can be configured to avoid direct network exposure, making it harder to detect (though the modified APK itself might be detected).
  • Flexibility: Supports various modes, including automatic script execution and remote connection listening.

Prerequisites for Advanced APK Modding

Before we begin, ensure you have the following tools installed and configured:

  • Java Development Kit (JDK): Required for `jarsigner`.
  • Android SDK Build Tools: For `zipalign`.
  • Apktool: For decompiling and recompiling APKs. 
    java -jar apktool.jar d target.apk -o target_decompiled
  • Frida Tools: `frida-tools` (pip install frida-tools) for interacting with the gadget.
  • Frida Gadget (frida-gadget.so): Download the appropriate architecture-specific `.so` file from the official Frida releases page (e.g., `frida-gadget-16.x.x-android-arm64.so`).
  • Text Editor: For modifying `smali` code and JSON configuration.
  • Optional: Jadx-GUI or Dex2jar: For quick code review and understanding the application structure.

Step 1: Decompiling the Target APK

The first step is to decompile the application you wish to inject Frida Gadget into. Use `apktool` for this purpose:

apktool d target.apk -o target_app_modded

This command will create a directory named `target_app_modded` containing the `smali` code, resources, and manifest of the original APK.

Step 2: Obtaining and Placing Frida Gadget

Download the `frida-gadget.so` library that matches the target application’s architecture (e.g., `arm64-v8a`, `armeabi-v7a`). Rename it to `libfrida-gadget.so` for consistency.

Place this renamed library into the appropriate architecture-specific directory within the decompiled APK structure. For example, if the target app uses `arm64-v8a`, place it here:

cp frida-gadget-16.x.x-android-arm64.so target_app_modded/lib/arm64-v8a/libfrida-gadget.so

If the app supports multiple architectures, you might need to copy `libfrida-gadget.so` into each relevant `lib` subdirectory (e.g., `armeabi-v7a`, `x86_64`).

Step 3: Injecting the Gadget Library via Smali Modification

This is the most critical and delicate step. We need to ensure that `libfrida-gadget.so` is loaded as early as possible in the application’s lifecycle. A common and effective injection point is within the application’s `Application` class’s `onCreate()` method or a static initializer of a frequently used class. This ensures the gadget is loaded before the application has a chance to perform anti-tampering checks.

Locating the Injection Point:

  1. Identify the application’s main `Application` class from `AndroidManifest.xml`. Look for the `android:name` attribute within the `<application>` tag. For example: ` 
    <application android:name="com.example.myapp.MyApplication" ...>
  2. Navigate to the corresponding `smali` file: `target_app_modded/smali/com/example/myapp/MyApplication.smali`.
  3. Look for the `onCreate()` method (`.method public onCreate()V`). If it doesn’t exist, create it, ensuring to call the superclass’s `onCreate()` method.

Modifying the Smali Code:

Insert the `System.loadLibrary(

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Pentesting #APK Modding #Dynamic Analysis #Frida #Non-Rooted

Related Technical Guides

Automate Android App Analysis: Building Advanced Frida Scripts for Dynamic Triage

May 30, 2026

Unpacking Root Logic: Reverse Engineering Custom Root Detection with Frida & Ghidra

May 30, 2026

Frida for JNI: Practical Guide to Hooking Android Native Functions & Analyzing Arguments

May 29, 2026