Context
MASTG-DEMO-0x86 (emulator detection, linked to MASTG-TEST-0x49) currently uses a custom Frida script (script.js) to trace emulator detection APIs at runtime.
A hooks.json for Frooky was partially written:
What was achieved
The following hooks are working correctly in hooks.json:
| Hook |
Status |
android.os.Build.getRadioVersion() |
✅ captured |
ApplicationPackageManager.hasSystemFeature (both overloads) |
✅ captured |
TelephonyManager × 8 methods |
✅ captured |
ApplicationPackageManager.queryIntentActivities (both overloads) |
✅ captured |
ApplicationPackageManager.getPackageInfo (both overloads) |
✅ captured |
ActivityManager.getRunningServices |
✅ captured |
GLES20.glGetString × 3 |
✅ captured |
All hooks use filterEventsByStacktrace: ["org.owasp.mastestapp.MastgTest"].
What is missing
1. Build.* static field reads (12 fields) — Frooky limitation
The app reads Build static fields directly (Build.BOARD, Build.BRAND, Build.DEVICE, Build.FINGERPRINT, Build.MODEL, Build.MANUFACTURER, Build.PRODUCT, Build.HARDWARE, Build.ID, Build.SERIAL, Build.TAGS, Build.USER). These are not interceptable via Frida Java instrumentation.
Currently captured only by script.js which hooks the internal MastgTest.queryBuildValue() method. A fix would require either Frooky support for static field interception, or refactoring the sample to use a hookable wrapper method.
2. identityHashCode errors in Frooky for ActivityManager.getRunningServices and GLES20.glGetString
Frooky logs a non-fatal error for these hooks:
Error in identityHashCode Error: identityHashCode(): argument types do not match any of: .overload('java.lang.Object')
Events are still captured but this may be a Frooky bug worth fixing.
Next steps
Context
MASTG-DEMO-0x86 (emulator detection, linked to MASTG-TEST-0x49) currently uses a custom Frida script (
script.js) to trace emulator detection APIs at runtime.A
hooks.jsonfor Frooky was partially written:What was achieved
The following hooks are working correctly in
hooks.json:android.os.Build.getRadioVersion()ApplicationPackageManager.hasSystemFeature(both overloads)TelephonyManager× 8 methodsApplicationPackageManager.queryIntentActivities(both overloads)ApplicationPackageManager.getPackageInfo(both overloads)ActivityManager.getRunningServicesGLES20.glGetString× 3All hooks use
filterEventsByStacktrace: ["org.owasp.mastestapp.MastgTest"].What is missing
1.
Build.*static field reads (12 fields) — Frooky limitationThe app reads Build static fields directly (
Build.BOARD,Build.BRAND,Build.DEVICE,Build.FINGERPRINT,Build.MODEL,Build.MANUFACTURER,Build.PRODUCT,Build.HARDWARE,Build.ID,Build.SERIAL,Build.TAGS,Build.USER). These are not interceptable via Frida Java instrumentation.Currently captured only by
script.jswhich hooks the internalMastgTest.queryBuildValue()method. A fix would require either Frooky support for static field interception, or refactoring the sample to use a hookable wrapper method.2.
identityHashCodeerrors in Frooky forActivityManager.getRunningServicesandGLES20.glGetStringFrooky logs a non-fatal error for these hooks:
Events are still captured but this may be a Frooky bug worth fixing.
Next steps
Build.*readsidentityHashCodeerror in Frooky forListand native-backed return typeshooks.jsonand produce a cleanoutput.jsonto replaceoutput.txtoutput.jsonandhooks.json