Setting up Frida on Android

Hello All!

In this post, we will explain how to setup Frida with Android through USB on MacOS. Let’s first prepare your environment.


You need:

This guide targets Android 9.0 and later.

Developer mode

Enable developer mode by locating the Build Number item in our system settings and tapping it 7 times.

This is found at:  Settings > About Phone > Build Number. Once completed, you will see a You are now a developer! message.

USB debugging

Enable USB debugging at: Settings > System > Advanced > Developer Options > USB debugging

Setup Tools

Install Android SDK Platform-Tools This is easy, thank you to brew:

$ brew install android-platform-tools

After installation, we will test the adb utility along with USB debugging on our Android device. If using a physical device, be sure that it’s connected to your computer over USB. Run the following command (we will use this output to select the right Frida server binary below):

$ adb shell uname -m

Success, we have adb and USB debugging functioning. Also, we confirmed this device is running AArch64/ARM64.

Using adb shell <cmd>, enables us to run a single command on our Android device and get output back. If we wanted to drop into a shell on our device, we would run adb shell.

Common issues with adb can be resolved by stopping and starting the server:

$ adb kill-server
$ adb start-server

Setup Frida Server

Download the latest Frida server binary matching your devices architecture. In this example for the Pixel 4a, we use Arm64.

$ wget

Extract and rename the binary to frida-server:

$ unxz frida-server-14.2.3-android-arm64.xz
$ mv frida-server-14.2.3-android-arm64 frida-server

Upload frida-server to your Android device and mark it as executable:

$ adb push frida-server /data/local/tmp/
$ adb shell "chmod 755 /data/local/tmp/frida-server"

Get a shell, elevate to root, execute and background frida-server:

$ adb shell
sunfish:/ $ su
sunfish:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0
sunfish:/ # /data/local/tmp/frida-server &
[1] 9555

Verify frida-server is running as root:

$ adb shell
sunfish:/ $ ps -e | grep frida-server
root  9555 1 10851964  3636 do_sys_poll 0 S frida-server

Confirmed to be running as the root user, let’s move on.

Setup Frida Tools

This can be accomplished with pip, the Python package installer. Frida prefers Python3 and I have pip3 configured as the package installer for my Python3 environment.

$ pip3 install frida-tools

Frida Basics

Get list of running applications:

$ frida-ps -Ua

Should return something like:

  PID  Name                        Identifier
-----  --------------------------  -----------------------------------------
 1601  Android System              android
 2151  Bluetooth         
 1601  Call Management   
 5900  Carrier Services  
 2529  CneApp                      com.qualcomm.qti.cne

Attach to a process:

$ frida -U org.mozilla.firefox

Attach to a process and load Frida script:

$ frida -U org.mozilla.firefox -l script.js

That is all for now.

Thank you for reading and hope you enjoyed as an initial walkthrough or reference next time you need Frida up in a hurry. Have an issue or want to comment, tweet me.

All the best,