frida-gadget is a tool that can be used to patch APKs in order to utilize the Frida Gadget.This tool automates the process of downloading the Frida gadget library and injecting the loadlibrary code into the main activity.
pip install frida-gadget --upgradeYou should install Apktool and add it to your PATH environment variable.
# Install Apktool on macOS
brew install apktool
# Add Apktool to your PATH environment variable
export PATH=$PATH:$HOME/.brew/binFor other operating systems, you can refer to the Install Guide.
The
-v flag is used to bind mount the current directory to the /workspace/mount directory inside the container.Ensure that your
APK file is located in the current directory, or replace $APK_DIRECTORY with the path to the directory where the APK file is stored.APK_DIRECTORY=$PWD
APK_FILENAME=example.apk
docker run -v $APK_DIRECTORY/:/workspace/mount ksg97031/frida-gadget mount/$APK_FILENAME --arch arm64 --sign
...
# New apk is in the $APK_DIRECTORY/example/dist/example.apk$ frida-gadget --help
Usage: cli.py [OPTIONS] APK_PATH
Patch an APK with the Frida gadget library
Options:
--arch TEXT Target architecture of the device. (options: arm64, x86_64, arm, x86)
--config TEXT Upload the Frida configuration file.
--no-res Do not decode resources.
--main-activity TEXT Specify the main activity if desired. (e.g., com.example.MainActivity)
--sign Automatically sign the APK using uber-apk-signer.
--skip-decompile Skip decompilation if desired.
--skip-recompile Skip recompilation if desired.
--use-aapt2 Use aapt2 instead of aapt.
--version Show version and exit.
--help Show this message and exit.Simply provide the APK file with the target architecture.
$ frida-gadget handtrackinggpu.apk --arch arm64 --sign
[INFO] Auto-detected frida version: 16.1.3
[INFO] APK: '[REDACTED]\demo-apk\handtrackinggpu.apk'
[INFO] Gadget Architecture(--arch): arm64(default)
[DEBUG] Decompiling the target APK using apktool
[DEBUG] Downloading the frida gadget library for arm64
[DEBUG] Checking internet permission and extractNativeLibs settings
[DEBUG] Adding 'android.permission.INTERNET' permission to AndroidManifest.xml
[DEBUG] Searching for the main activity in the smali files
[DEBUG] Found the main activity at '[REDACTED]\frida-gadget\tests\demo-apk\handtrackinggpu\smali\com\google\mediapipe\apps\handtrackinggpu\MainActivity.smali'
[DEBUG] Locating the onCreate method and injecting the loadLibrary code
[DEBUG] Recompiling the new APK using apktool
...
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk into: [REDACTED]\demo-apk\handtrackinggpu\dist\handtrackinggpu.apk
[INFO] Success
...
$ unzip -l [REDACTED]\demo-apk\handtrackinggpu\dist\handtrackinggpu.apk | grep libfrida-gadget
21133848 09-15-2021 02:28 lib/arm64-v8a/libfrida-gadget-16.1.3-android-arm64.soConnect your device and run the following command:
adb shell getprop ro.product.cpu.abiThis command will output the architecture of your device, such as
arm64-v8a, armeabi-v7a, x86, or x86_64.- Most modern Android emulators use the
x86_64 architecture.- Newer high-end devices typically use
arm64-v8a.- Older or lower-end devices might use
armeabi-v7a.- Some specific emulators or devices may still use
x86.Observe the main activity; the injected loadLibrary code will be visible.
After modifying the APK, you need to re-sign it.
You can quickly re-sign your application with the
--sign option.This option uses uber-apk-signer.
