phantom-frida

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/TheQmaks/phantom-frida
• Blog Title: phantom-frida
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting -> Android Anti Instrumentation And Ssl Pinning Bypass (add subsection: 'Bypassing Anti-Frida Detection / Stealth Frida Servers')

🎯 Content Summary

Title/What it is
phantom-frida is a build + patch framework that generates a stealth (anti-detection) Frida server by cloning Frida from source, applying ~90 patches, and recompiling so common Frida fingerprints are removed or renamed. It focuses on bypassing real-world anti-Frida / anti-hooking / anti-tamper checks used by Android apps by eliminating recognizable identifiers (process name, library name, exported symbols, thread names, D-Bus names, ports, temp paths, and even r...

🔧 Technical Details

1. Fingerprint-evasion via full rebuild + systematic renaming: If an app detects Frida by matching known identifiers (process name frida-server via /proc//cmdline/ps, mapped agent library libfrida-agent.so via /proc/self/maps, thread names via /proc/self/task//comm, D-Bus service re.frida.server via introspection, or symbol lookups like frida_agent_main via dlsym), rebuild Frida from source and apply coordinated string/symbol/thread/service renames so these simple signature checks no longer match.
   
   2) Bypass memfd-based detection by changing memfd names: Some detectors enumerate file descriptors and resolve them with readlink on /proc/self/fd/ to find Frida’s in-memory-loaded agent (e.g., frida-agent-64.so). Changing the memfd label (e.g., to jit-cache) breaks naïve FD-name signatures while keepi...

🤖 Agent Actions

Summary:

• Added a new “Bypassing Anti-Frida Detection / Stealth Frida Servers” section detailing how to use phantom-frida to strip Frida fingerprints across process/library/thread names, memfd labels, symbols, SELinux labels, ports, temp paths, and binary strings while keeping protocol compatibility.
• Documented phantom-frida build phases, covered detection vectors (base vs. extended), and provided concise Android build/deploy commands plus key flags/WSL helper usage.
• Updated references to include the phantom-frida project.

Tests:

• Not run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/TheQmaks/phantom-frida

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting -> Android Anti Instrumentation And Ssl Pinning Bypass (add subsection: 'Bypassing Anti-Frida Detection / Stealth Frida Servers')".

Repository Maintenance:

• MD Files Formatting: 948 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0