frida-gadget 1.4.3

Automated Frida Gadget injection tool

frida-gadget is a tool that can be used to patch APKs in order to utilize the Frida Gadget.

This tool automates the process of downloading the Frida gadget library and injecting the loadlibrary code into the main activity.

Installation

pip install frida-gadget --upgrade

Prerequirement

You should install Apktool and add it to your PATH environment variable.

# Install Apktool on macOS
brew install apktool

# Add Apktool to your PATH environment variable
export PATH=$PATH:$HOME/.brew/bin

For other operating systems, you can refer to the Install Guide.

Docker

The -v flag is used to bind mount the current directory to the /workspace/mount directory inside the container.

Ensure that your APK file is located in the current directory, or replace $APK_DIRECTORY with the path to the directory where the APK file is stored.

APK_DIRECTORY=$PWD
APK_FILENAME=example.apk
docker run -v $APK_DIRECTORY/:/workspace/mount ksg97031/frida-gadget mount/$APK_FILENAME --arch arm64 --sign

...
# New apk is in the $APK_DIRECTORY/example/dist/example.apk

Usage

$ frida-gadget --help
  Usage: cli.py [OPTIONS] APK_PATH

    Patch an APK with the Frida gadget library

  Options:
    --arch TEXT           Target architecture of the device. (options: arm64, x86_64, arm, x86)
    --config TEXT         Upload the Frida configuration file.
    --no-res              Do not decode resources.
    --main-activity TEXT  Specify the main activity if desired. (e.g., com.example.MainActivity)
    --sign                Automatically sign the APK using uber-apk-signer.
    --skip-decompile      Skip decompilation if desired.
    --skip-recompile      Skip recompilation if desired.
    --use-aapt2           Use aapt2 instead of aapt.
    --version             Show version and exit.
    --help                Show this message and exit.

How do I begin?

Simply provide the APK file with the target architecture.

$ frida-gadget handtrackinggpu.apk --arch arm64 --sign
  [INFO] Auto-detected frida version: 16.1.3
  [INFO] APK: '[REDACTED]\demo-apk\handtrackinggpu.apk'
  [INFO] Gadget Architecture(--arch): arm64(default)
  [DEBUG] Decompiling the target APK using apktool
  [DEBUG] Downloading the frida gadget library for arm64
  [DEBUG] Checking internet permission and extractNativeLibs settings
  [DEBUG] Adding 'android.permission.INTERNET' permission to AndroidManifest.xml
  [DEBUG] Searching for the main activity in the smali files
  [DEBUG] Found the main activity at '[REDACTED]\frida-gadget\tests\demo-apk\handtrackinggpu\smali\com\google\mediapipe\apps\handtrackinggpu\MainActivity.smali'
  [DEBUG] Locating the onCreate method and injecting the loadLibrary code
  [DEBUG] Recompiling the new APK using apktool
  ...
  I: Building apk file...
  I: Copying unknown files/dir...
  I: Built apk into: [REDACTED]\demo-apk\handtrackinggpu\dist\handtrackinggpu.apk
  [INFO] Success
  ...

$ unzip -l [REDACTED]\demo-apk\handtrackinggpu\dist\handtrackinggpu.apk | grep libfrida-gadget
  21133848  09-15-2021 02:28   lib/arm64-v8a/libfrida-gadget-16.1.3-android-arm64.so

How to know device architecture?

Connect your device and run the following command:

adb shell getprop ro.product.cpu.abi

This command will output the architecture of your device, such as arm64-v8a, armeabi-v7a, x86, or x86_64.

- Most modern Android emulators use the x86_64 architecture.

- Newer high-end devices typically use arm64-v8a.

- Older or lower-end devices might use armeabi-v7a.

- Some specific emulators or devices may still use x86.

How to Identify?

Observe the main activity; the injected loadLibrary code will be visible.

Resigning the APK

After modifying the APK, you need to re-sign it.

You can quickly re-sign your application with the --sign option.

This option uses uber-apk-signer.

Contributing