Merge pull request #1900 from HackTricks-wiki/update_phantom-frida_20260216_130011

phantom-frida

Author: carlospolop

src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md

@@ -12,6 +12,31 @@ This page provides a practical workflow to regain dynamic analysis against Andro
 - Early init checks: Application.onCreate() or process start hooks that crash if instrumentation is present
 - TLS pinning: custom TrustManager/HostnameVerifier, OkHttp CertificatePinner, Conscrypt pinning, native pins
 
+## Bypassing Anti-Frida Detection / Stealth Frida Servers
+
+**phantom-frida** rebuilds Frida from source and applies ~90 patches so common Frida fingerprints disappear while the stock Frida protocol remains compatible (`frida-tools` can still connect). Target: apps that grep `/proc` (cmdline, maps, task comm, fd readlink), D-Bus service names, default ports, or exported symbols.
+
+Phases:
+- **Source patches:** global rename of `frida` identifiers (server/agent/helper) and rebuilt helper DEX with a renamed Java package.
+- **Targeted build/runtime patches:** meson tweaks, memfd label changed to `jit-cache`, SELinux labels (e.g., `frida_file`) renamed, libc hooks on `exit`/`signal` disabled to avoid hook-detectors.
+- **Post-build rename:** exported symbol `frida_agent_main` renamed after the first compile (Vala emits it), requiring a second incremental build.
+- **Binary hex patches:** thread names (`gmain`, `gdbus`, `pool-spawner`) replaced; optional sweep removes leftover `frida`/`Frida` strings.
+
+Detection vectors covered:
+- **Base (1–8):** process name `frida-server`, mapped `libfrida-agent.so`, thread names, memfd label, exported `frida_agent_main`, SELinux labels, libc hook side-effects, and D-Bus service `re.frida.server` are renamed/neutralized.
+- **Extended (9–16):** change listening port (`--port`), rename D-Bus interfaces/internal C symbols/GType names, temp paths like `.frida`/`frida-`, sweep binary strings, rename build-time defines and asset paths (`libdir/frida`). D-Bus interface names that are part of the wire protocol stay unchanged in base mode to avoid breaking stock clients.
+
+Build/usage (Android arm64 example):
+```bash
+python3 build.py --version 17.7.2 --name myserver --port 27142 --extended --verify
+adb push output/myserver-server-17.7.2-android-arm64 /data/local/tmp/myserver-server
+adb shell chmod 755 /data/local/tmp/myserver-server
+adb shell /data/local/tmp/myserver-server -D &
+adb forward tcp:27142 tcp:27142
+frida -H 127.0.0.1:27142 -f com.example.app
+```
+Flags: `--skip-build` (patch only), `--skip-clone`, `--arch`, `--ndk-path`, `--temp-fixes`; WSL helper: `wsl -d Ubuntu bash build-wsl.sh`.
+
 ## Step 1 — Quick win: hide root with Magisk DenyList
 
 - Enable Zygisk in Magisk
@@ -131,13 +156,16 @@ Java.perform(() => {
 });
 ```
 
-// Quick root detection stub example (adapt to target package/class names)
+Quick root detection stub example (adapt to target package/class names):
+
+```js
 Java.perform(() => {
   try {
     const RootChecker = Java.use('com.target.security.RootCheck');
     RootChecker.isDeviceRooted.implementation = function () { return false; };
   } catch (e) {}
 });
+```
 
 Log and neuter suspicious methods to confirm execution flow:
 
@@ -365,6 +393,7 @@ Notes
 - [Magisk](https://github.com/topjohnwu/Magisk)
 - [Medusa (Android Frida framework)](https://github.com/Ch0pin/medusa)
 - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
+- [phantom-frida (stealth Frida server builder)](https://github.com/TheQmaks/phantom-frida)
 - [Frida OkHttp4 SSL pinning bypass script](https://github.com/Zero3141/Frida-OkHttp-Bypass)
 - [XDA guide to strong Play Integrity bypass (2025)](https://xdaforums.com/t/updated-11-17-2025-guide-get-strong-integrity-fix-banking-apps-revolut-google-wallet-android-16-working.4753805/)