Top Android apps vulnerable to reverse engineering tool Frida


A “significant” security gap that makes 97% of the most popular Android apps vulnerable to the reverse engineering tool Frida can be exploited by bad actors, cybersecurity experts have warned.

Promon, a Norwegian cybersecurity firm, analyzed 150 top Android apps and found that 144 of them could be successfully configured to operate within Frida’s controlled testing environment.

Of these, only three actively detected Frida’s presence and responded by either shutting down or limiting functionality, according to Promon.

ADVERTISEMENT

Frida is a dynamic instrumentation toolkit that’s grown increasingly popular among security researchers, reverse engineers, and malware analysts. While it can be used for legitimate security testing and analysis, it has also become one of the primary tools by malicious actors attacking apps.

“Although not all apps need to detect Frida, the fact that 97% do not detect it raises significant concerns; it’s an open invitation for exploitation,” Simon Lardinois, a security researcher at Promon, said.

“It's not hard to imagine that Frida is the first point of call for most bad actors seeking to manipulate app behavior, bypass security protections, and harvest sensitive data,” Lardinois warned.

The toolkit is considered the “essential first step” to reverse engineering an app, according to cybersecurity experts, who expressed surprise that so few of the top apps are protected from what they describe as the most common hooking framework.

“For some apps, relying on a free solution that can detect basic forms of rooting can be enough to secure themselves. But for apps that process sensitive data or have sensitive features, this is certainly a wake-up call to implement more robust detections for Frida,” Lardinois said.

Cat and mouse game

Researchers examined each app’s security mechanism against the standard, open-source version of Frida. That so many top-tier apps did not have protections indicates a “significant security gap” in their defense strategies, according to Promon’s report.

“These findings underscore the need for increased awareness and proactive security measures within the Android development community,” the report said.

ADVERTISEMENT

Incorporating Frida detection techniques should become a “critical focus” for organizations that seek to keep their app integrity and user data intact, it added.

Traditional detection methods range from identifying unique library names and memory strings associated with Frida to examining named threads, enumerating exported functions, and monitoring network resources.

jurgita vilius Niamh Ancell BW Marcus Walsh profile
Get our latest stories today on Google News

At the same time, evasion techniques are becoming more sophisticated, with attackers customizing or “stripping down” Frida to hide its footprint and bypass known detection mechanisms, according to Promon.

While machine learning-based or hardware-assisted detection could provide more robust protections in the future, ongoing advancements in evasion techniques mean the cat-and-mouse game between developers and attackers will persist, experts warned.

While researchers did not name specific apps in their report, they analyzed 150 of the most popular apps based on monthly active users as of November 2024. Collectively, these apps are used by more than 550 million people daily, with each tested app averaging 206 million monthly users, according to the report.