Merge pull request #1877 from HackTricks-wiki/research_update_src_mobile-pentesting_android-app-pentesting_frida-tutorial_frida-tutorial-1_20260210_025308

carlospolop · web-flow · commit eb977f753096 · 2026-02-10T04:15:46.000+01:00
Research Update Enhanced src/mobile-pentesting/android-app-p...
diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
@@ -127,14 +127,54 @@ Java.perform(function () {
 })
 ```
 
+## Hooking on recent Android versions (14/15/16)
+
+- From **Frida 17.1.x+** Java hooking on Android 14–16 is stable again (ART quick entrypoint offsets were fixed). If `Java.choose` returns nothing on Android 14+, upgrade **frida-server/gadget** and the **CLI/Python** packages to >=17.1.5.
+- Apps with early anti-debug checks often die before `attach`. Use **spawn** so hooks load before `onCreate`:
+
+```bash
+frida -U -f infosecadventures.fridademo -l hook1.js --no-pause
+```
+
+- When multiple overloads exist, select the target explicitly:
+
+```javascript
+var Cls = Java.use("com.example.Class")
+Cls.doThing.overload('java.lang.String', 'int').implementation = function(s, i) {
+  return this.doThing(s, i)
+}
+```
+
+## Stealthier injection with Zygisk Gadget
+
+Some apps detect **ptrace** or `frida-server`. Magisk/Zygisk modules can load **frida-gadget** inside Zygote so no process is ptraced:
+
+1. Install a Zygisk gadget module (e.g., `zygisk-gadget`) and reboot.
+2. Configure the target package and an optional delay to bypass startup checks:
+
+```bash
+adb shell "su -c 'echo infosecadventures.fridademo,5000 > /data/local/tmp/re.zyg.fri/target_packages'"
+```
+
+3. Launch the app and attach to the gadget name:
+
+```bash
+frida -U -n Gadget -l hook3.js
+```
+
+Because the gadget is injected by Zygote, APK integrity checks stay untouched and basic ptrace/Frida string checks usually fail.
+
 ## Important
 
-In this tutorial you have hooked methods using the name of the mathod and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**.
+In this tutorial you have hooked methods using the name of the method and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**.
 
 You can see that in [the next tutorial](frida-tutorial-2.md).
 
 
-{{#include ../../../banners/hacktricks-training.md}}
 
 
+## References
 
+- [Frida News (Android 14–16 fixes & Frida 17.x releases)](https://frida.re/news/)
+- [zygisk-gadget – Zygisk module that loads frida-gadget](https://github.com/hackcatml/zygisk-gadget)
+{{#include ../../../banners/hacktricks-training.md}}
