Like many other development tools, Frida is often used by malicious actors to compromise mobile apps (for example, your app).
Here are the top 7 ways Cybercriminals use Frida to Compromise Mobile Apps
- Monitor encryption calls and capture details about the encryption type and keys in use in a mobile application (often used to probe for weaknesses in the app’s encryption model).
- Trace function calls during the application runtime to understand how the code behaves, specific instructions or operations it runs, or generate a backtrace for threads (comes in handy as a pre-curser for malicious hooking – see below).
- Perform Hooking: For example, intercept function calls, attach to a running process, and then dynamically interact with the application all within the context of the running app. This allows a malicious actor to inject code that is ‘context sensitive’ to the app. (This is especially useful in mobile fraud because it allows fraudsters to create app experiences that look and feel like ‘the real thing’ to mobile users. These abuses often aimed at mobile banking, fintech, retail, and eCommerce apps where users have established a certain degree of trust in the app. The fraudster abuses the trust relationship by creating an experience that makes the mobile user think they are interacting with a trusted entity).
- Inject malware that exploits specific known or discovered vulnerabilities in the code, or create an update to existing malware. For compromising Android apps, Frida is especially useful when used in conjunction with ADB – which is often misused as a channel to deliver backdoors or trojanize apps (by way of the built-in remote shell capabilities of ADB).
- Disable SSL/TLS Pinning, and then intercept the network traffic using a proxy (like Mitm proxy, Wireshark, or Charles Proxy). This allows a malicious actor to inspect and read network traffic and in some cases alter the payload (Often used to cheat cheating in multi-player games where the game values are stored in a remote server and not inside the app).
- Bypass Rooting detection mechanisms or turn off anti-tampering protections that have been hardcoded into the source code. Frida is often used in conjunction with Android Rooter tools like Magisk