/frida-gadget

Automated tool for patching APKs to enable the use of Frida gadget by downloading the library and injecting code into the main activity.

Primary LanguagePythonMIT LicenseMIT

frida-gadget

Codacy-Grade Docker LICENCE

frida-gadget is a tool that can be used to patch APKs in order to utilize the Frida Gadget.
This tool automates the process of downloading the Frida gadget library and injecting the loadlibrary code into the main activity.

Installation

Py-Versions PyPI-Downloads

pip install frida-gadget --upgrade

Prerequirement

You should install Apktool and add it to your PATH environment variable.

# Install Apktool on macOS
brew install apktool

# Add Apktool to your PATH environment variable
export PATH=$PATH:$HOME/.brew/bin
For other operating systems, you can refer to the Install Guide.

Docker

The -v flag is used to mount the current directory to the /workspace directory in the container.
The APK file should reside in the $PWD directory, or you can substitute $pwd with the directory path where the APK file is stored.

docker run -v $PWD/:/workspace/mount ksg97031/frida-gadget mount/handtrackinggpu.apk

Usage

$ frida-gadget --help
  Usage: cli.py [OPTIONS] APK_PATH

    Patch an APK with the Frida gadget library

  Options:
    --arch TEXT       Target architecture of the device.
    --use-aapt2       Use aapt2 instead of aapt.
    --no-res          Do not decode resources.
    --skip-decompile  Skip decompilation if desired.
    --skip-recompile  Skip recompilation if desired.
    --version         Show version and exit.
    --help            Show this message and exit.

How do I begin?

Simply provide the APK file.

$ frida-gadget handtrackinggpu.apk --arch arm64
  [INFO] Auto-detected frida version: 16.1.3
  [INFO] APK: '[REDACTED]\demo-apk\handtrackinggpu.apk'
  [INFO] Gadget Architecture(--arch): arm64(default)
  [DEBUG] Decompiling the target APK using apktool
  [DEBUG] Downloading the frida gadget library for arm64
  [DEBUG] Checking internet permission and extractNativeLibs settings
  [DEBUG] Adding 'android.permission.INTERNET' permission to AndroidManifest.xml
  [DEBUG] Searching for the main activity in the smali files
  [DEBUG] Found the main activity at '[REDACTED]\frida-gadget\tests\demo-apk\handtrackinggpu\smali\com\google\mediapipe\apps\handtrackinggpu\MainActivity.smali'
  [DEBUG] Locating the onCreate method and injecting the loadLibrary code
  [DEBUG] Recompiling the new APK using apktool
  ...
  I: Building apk file...
  I: Copying unknown files/dir...
  I: Built apk into: [REDACTED]\demo-apk\handtrackinggpu\dist\handtrackinggpu.apk
  [INFO] Success

$ unzip -l [REDACTED]\demo-apk\handtrackinggpu\dist\handtrackinggpu.apk | grep libfrida-gadget
  21133848  09-15-2021 02:28   lib/arm64-v8a/libfrida-gadget-16.1.3-android-arm64.so

How to Identify?

Observe the main activity; the injected loadLibrary code will be visible.

https://github.com/ksg97031/frida-gadget/blob/trunk/images/decompile.png

Helpful Hint

Quickly re-sign your application with the apk-signer tool.

$ apk-signer handtrackinggpu.apk

Contributing