Android Hacking, Sandboxing, & Security Exploits

Tracing JNI Calls to Malicious Native Code in Android Applications: A Step-by-Step Guide

By Antigravity Research Published May 30, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Hidden Dangers of Native Code in Android Malware

Android applications often leverage the Java Native Interface (JNI) to execute performance-critical operations, integrate with existing C/C++ libraries, or obfuscate sensitive logic. While legitimate, JNI also provides a powerful avenue for malware developers to hide malicious payloads. By compiling core functionalities into native libraries (.so files), attackers can evade typical Java-level deobfuscation and analysis techniques, making reverse engineering significantly more challenging. This guide provides a step-by-step methodology for identifying, statically analyzing, and dynamically tracing JNI calls to uncover malicious native code within Android applications.

Prerequisites: Tools of the Trade

Before diving in, ensure you have the following tools set up and ready:

  • ADB (Android Debug Bridge): For interacting with Android devices or emulators.
  • Frida: A dynamic instrumentation toolkit for hooking into processes. You’ll need the Frida CLI tools and Frida server on your Android device.
  • Ghidra or IDA Pro: Powerful disassemblers/decompilers for static analysis of native binaries.
  • Android Studio / NDK: Useful for understanding JNI concepts and compiling simple native code for testing.
  • A Rooted Android Device or Emulator: Essential for deploying Frida server and accessing process memory.

Understanding JNI: The Bridge to Native Execution

JNI acts as a bridge, allowing Java code running in the Java Virtual Machine (JVM) to interact with native applications and libraries written in languages like C/C++. Key concepts include:

  • Native Methods: Java methods declared with the native keyword, indicating their implementation is in a native library.
  • JNI_OnLoad: A crucial function exported by native libraries. The Android Runtime (ART) or Dalvik VM calls this function when the library is loaded via System.loadLibrary(). Malware often uses this to initialize anti-analysis techniques, decrypt payloads, or register native methods dynamically.
  • Method Registration: Native methods can be registered either statically (by following a specific naming convention: Java_PackageName_ClassName_MethodName) or dynamically using the RegisterNatives function within JNI_OnLoad. Dynamic registration is a common obfuscation technique as it hides the direct mapping of Java methods to native functions.

Step 1: Identifying Native Libraries in an APK

The first step is to locate any native libraries (`.so` files) embedded within the target APK. You can do this by:

  1. Renaming the APK to a .zip file: mv app.apk app.zip
  2. Extracting the contents: unzip app.zip -d extracted_app
  3. Navigating to the native libraries directory: Native libraries are typically found in extracted_app/lib//, where can be armeabi-v7a, arm64-v8a, x86, etc.

Examine the .so files for suspicious names or a large number of them, which might indicate a heavy reliance on native code.

Step 2: Static Analysis of Native Code with Ghidra/IDA Pro

Once you have identified potential native libraries, it’s time for static analysis:

  1. Load the .so file: Open your chosen disassembler (Ghidra or IDA Pro) and load the target .so file. Ensure you select the correct architecture (ARM, AArch64, x86, etc.).
  2. Locate JNI_OnLoad: In the Symbols window, search for JNI_OnLoad. This function is the entry point for much of the native library’s initialization logic. Decompile it to understand its flow.
  3. Identify RegisterNatives calls: Within JNI_OnLoad or other functions, look for calls to JNIEnv->RegisterNatives. This function is used for dynamic native method registration. Pay close attention to its arguments: the Java class name, the array of JNINativeMethod structs (containing the Java method name, signature, and pointer to the native implementation). 
    // Example of what to look for in decompiled code: JNI_OnLoad (simplified) JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) { JNIEnv* env; if ((*vm)->GetEnv(vm, (void**)&env, JNI_VERSION_1_6) != JNI_OK) { return JNI_ERR; } JNINativeMethod methods[] = { {"secretFunction", "(Ljava/lang/String;)V", (void*)Java_com_example_NativeLib_secretFunction}, {"obfuscatedOp", "(II)I", (void*)obfuscatedNativeImpl} }; // Registering native methods dynamically (*env)->RegisterNatives(env, (*env)->FindClass(env, "com/example/MyNativeClass"), methods, sizeof(methods) / sizeof(methods[0])); return JNI_VERSION_1_6; }
  4. Analyze interesting functions: Once you’ve mapped Java native methods to their C/C++ implementations, or if you’ve found suspicious functions directly, dive into their code. Look for:
    • System calls (e.g., execve, fork, system)
    • Network operations (e.g., socket, connect, send, recv)
    • File system access (e.g., open, read, write, unlink)
    • Cryptographic functions (e.g., AES, RSA implementations)
    • Anti-analysis techniques (debugger detection, anti-tampering checks)

Step 3: Dynamic Analysis with Frida: Tracing JNI Calls

Static analysis provides insights, but dynamic analysis confirms behavior and reveals runtime values. Frida is excellent for this.

3.1 Setting up Frida on your Android device:

# On your host machine adb push frida-server /data/local/tmp/ # Adjust based on your device's ABI and Frida version adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &"

3.2 Writing Frida Scripts to Hook JNI Calls:

We’ll use Frida to hook `JNI_OnLoad`, `RegisterNatives`, and specific native methods.

Hooking `JNI_OnLoad` to discover dynamic registrations:

// jni_onload_hook.js Java.perform(function() { const libname = 'libmalware.so'; // Replace with your target .so library const JNI_OnLoad = Module.findExportByName(libname, 'JNI_OnLoad'); if (JNI_OnLoad) { console.log("[+] Found JNI_OnLoad at: " + JNI_OnLoad); Interceptor.attach(JNI_OnLoad, { onEnter: function(args) { console.log("[+] Entering JNI_OnLoad for " + libname); this.vm = new Java.vm.getEnv().pointer.readPointer(); this.env = args[0]; }, onLeave: function(retval) { console.log("[+] Exiting JNI_OnLoad for " + libname + ", Return: " + retval); } }); } else { console.log("[-] JNI_OnLoad not found in " + libname); } // Additionally, we can hook RegisterNatives for dynamic registration const RegisterNatives = Module.findExportByName(null, 'JNI_RegisterNatives'); if (RegisterNatives) { console.log("[+] Found JNI_RegisterNatives at: " + RegisterNatives); Interceptor.attach(RegisterNatives, { onEnter: function(args) { // args[0] is JNIEnv*, args[1] is jclass, args[2] is JNINativeMethod*, args[3] is count const env = new Java.vm.getEnv(); const jclass_obj = new Java.Wrapper(args[1]); const javaClassName = env.getClassName(jclass_obj); const methodsArray = args[2]; const methodCount = args[3].toInt32(); console.log(`[+] RegisterNatives called for class: ${javaClassName} with ${methodCount} methods.`); for (let i = 0; i < methodCount; i++) { const methodNamePtr = methodsArray.add(i * Process.pointerSize * 3).readPointer(); const signaturePtr = methodsArray.add(i * Process.pointerSize * 3 + Process.pointerSize).readPointer(); const fnPtr = methodsArray.add(i * Process.pointerSize * 3 + Process.pointerSize * 2).readPointer(); console.log(`    Method ${i}: Name: "${methodNamePtr.readCString()}", Signature: "${signaturePtr.readCString()}", Native Func: ${fnPtr}`); // You can now hook fnPtr if it corresponds to a suspicious function Interceptor.attach(fnPtr, { onEnter: function(args_func) { console.log(`[+] Hooked native method ${methodNamePtr.readCString()} called! Args: ${args_func[1]} ${args_func[2]}`); // Parse args based on signature }, onLeave: function(retval_func) { console.log(`[+] Hooked native method ${methodNamePtr.readCString()} returned: ${retval_func}`); } }); } }, onLeave: function(retval) { console.log("[+] Exiting RegisterNatives."); } }); } else { console.log("[-] JNI_RegisterNatives not found."); } });

Execute this script:

frida -U -f com.example.app --no-pause -l jni_onload_hook.js

Hooking Specific Native Methods:

If you’ve identified a specific native function (e.g., Java_com_example_NativeLib_secretFunction or an internal function like obfuscatedNativeImpl from static analysis), you can directly hook it:

// specific_native_hook.js Java.perform(function() { const libname = 'libmalware.so'; // Your target library const targetFunction = 'Java_com_example_NativeLib_secretFunction'; // Or 'obfuscatedNativeImpl' const funcPtr = Module.findExportByName(libname, targetFunction); if (funcPtr) { console.log(`[+] Found target function ${targetFunction} at: ${funcPtr}`); Interceptor.attach(funcPtr, { onEnter: function(args) { console.log(`[+] Entering ${targetFunction} with arguments:`); // arguments[0] is JNIEnv*, arguments[1] is jobject/jclass for static methods // Subsequent arguments are actual method parameters. console.log(`    Arg 1 (JNIEnv*): ${args[0]}`); console.log(`    Arg 2 (jobject/jclass): ${args[1]}`); // If the method takes a String, args[2] would be jstring. let jniEnv = Java.vm.getEnv(); if (args[2] && args[2].isNull === false) { let javaString = new Java.Wrapper(args[2]); console.log(`    Arg 3 (jstring/param): ${jniEnv.getStringUtfChars(javaString, null).readCString()}`); } }, onLeave: function(retval) { console.log(`[+] Exiting ${targetFunction}, Return value: ${retval}`); } }); } else { console.log(`[-] Target function ${targetFunction} not found in ${libname}`); } });

Execute this script:

frida -U -f com.example.app --no-pause -l specific_native_hook.js

By tracing these calls, you can observe arguments passed to native methods and their return values, revealing the actual data and operations performed by the malicious code.

Step 4: Advanced Tracing Techniques

For more complex scenarios, consider:

  • Tracing Memory Access: Use Frida’s Memory.protect and Memory.scan to detect reads/writes to specific memory regions, useful for identifying decrypted payloads or data manipulation.
  • Hooking System Calls: On rooted devices, you can hook Linux kernel system calls (e.g., read, write, openat, sendto) directly via Frida’s Syscall API or by tracing libc functions to get a lower-level view of native code interactions with the OS.
  • Bypassing Anti-Analysis: Malware often detects debuggers or Frida. Techniques like obfuscated Frida agent injection or modifying the app’s `JNI_OnLoad` to remove anti-debugging checks might be necessary.

Conclusion: Unmasking Native Malice

Tracing JNI calls to malicious native code is a critical skill for Android malware analysts. By combining static analysis with powerful dynamic instrumentation tools like Frida, you can peel back the layers of obfuscation, understand the true intent of native payloads, and ultimately defend against sophisticated threats. This step-by-step guide provides a solid foundation for dissecting even the most elusive native Android malware.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Frida #JNI #Malware Analysis #Native Code

Related Technical Guides

Reverse Engineering Android KeyStore: Finding Side-Channel Vulnerabilities

May 30, 2026

Sandbox Escapades: Using Virtual Environments & VM Detection Bypass to Hide Root on Android

May 29, 2026

Lab: Developing an Android IPC Exploit from Reconnaissance to Code Execution

May 29, 2026