How to hijack Android OS calls with Frida

Learn how to intercept Android system calls

When we are performing a pentest on an Android app, sometimes is useful to get the parameters that the application is sending through a function or even hijack some specific function to return other values.

Let’s see in this article how we can intercept and even hijack any method from a given Android APK.

First, you can retrieve the package name with this command:

adb shell pm list packages

The method that you are interested to hijack, you can retrieve it doing reverse engineering, targeting for a specific common method or even getting it from adb logcat.

The following frida standalone script will intercept and dump any call to the internal function javax.crypto.Mac.doFinal. In this example, we only dump the parameters and after that redirect the program flow to the original function.


Usage: %0 <package name> <method>
Example: %0 javax.crypto.Mac.doFinal
# Intercepts and dumps all parameters of method given in the command line

import frida, sys

CODE = r'''
Java.perform(() => {
    // We overload javax.crypto.Mac.doFinal()

    const method = Java.use('javax.crypto.Mac');
    method.doFinal.overloads.forEach(f => {
        f.implementation = function(...args) {
            var hexkey= "";
            console.log(`[*] [${new Date().toString()}] javax.crypto.Mac.doFinal() called! Args: ${args.join(', ')}`);
            console.log("[-] Number of args: " + args.length);
            console.log("[-] length(args[0])= " + args[0].length);
            for (var i = 0; i < args[0].length; i++) {
                hexkey = hexkey + String.fromCharCode(args[0][i]);
            console.log("[-] input string= " + hexkey);
            // We develop an original method.
  , ...args);

if __name__ == '__main__':
    if len(sys.argv) != 3:
        print ("Usage: %0 <package name> <method>" %sys.argv[0])
        print ("Example: %0 javax.crypto.Mac.doFinal" %sys.argv[0])
    package= sys.argv[1]
    method=  sys.argv[2];
    device = frida.get_usb_device()
    print("[*] Spawing process %s\n" %package)
    pid = device.spawn([package])
    session = device.attach(pid)
    script = session.create_script(CODE)

From the above code, feel free to change the call we are intercepting to any other you are researching.






Leave a Reply

Your email address will not be published. Required fields are marked *