phantom-frida

April 1, 2026 · View on GitHub

Build anti-detection Frida server from source. Covers 16 detection vectors with ~90 patches.

Extended beyond ajeossida with additional stealth techniques: custom port, binary string sweep, internal symbol renaming, temp path obfuscation, and more.

How it works

Phantom-frida clones Frida source, applies patches in 4 phases (source, targeted, post-build, binary), and compiles a custom server where all identifiable "frida" strings, symbols, thread names, and file paths are replaced with a custom name.

Standard Frida client (pip install frida-tools) connects to the patched server normally — the client-server protocol is preserved.

Quick Start

  1. Fork this repo
  2. Actions > Build Custom Frida > Run workflow
  3. Choose version, name, architecture, options
  4. Download artifacts (~8 min with cache, ~35 min cold build)

Weekly auto-builds

The Weekly Stealth Build workflow runs every Sunday:

  • Detects latest Frida version automatically
  • Generates a random name and port via namegen.py
  • Builds with --extended for maximum stealth
  • Creates a GitHub Release with binary + build-info.json

Local build (WSL Ubuntu)

python3 build.py --version 17.7.2

# Full options:
python3 build.py --version 17.7.2 --name myserver --port 27142 --extended --verify

# Patch only (inspect changes without compiling):
python3 build.py --version 17.7.2 --skip-build

WSL helper script

wsl -d Ubuntu bash build-wsl.sh

# With options:
FRIDA_VERSION=17.7.2 CUSTOM_NAME=myserver CUSTOM_PORT=27142 EXTENDED=1 \
  wsl -d Ubuntu bash build-wsl.sh

Detection Vectors

#VectorDetection methodBaseExtended
1Process name frida-server/proc/*/cmdline, psRenamedRenamed
2libfrida-agent.so in maps/proc/self/maps scanRenamedRenamed
3Thread names gum-js-loop, gmain, gdbus/proc/self/task/*/commRenamedRenamed
4memfd name frida-agent-64.so/proc/self/fd/ readlinkjit-cachejit-cache
5frida_agent_main symboldlsym / memory scanRenamedRenamed
6SELinux labels frida_fileSELinux context checkRenamedRenamed
7libc hooks (exit, signal)Hook detectionDisabledDisabled
8D-Bus service re.frida.serverD-Bus introspectionRenamedRenamed
9Default port 27042connect() scan---port N
10D-Bus interfacesProtocol inspection-Renamed
11Internal C symbolsMemory string scan-Renamed
12GType names FridaServerGObject introspection-Renamed
13Temp paths .frida, frida-Filesystem scan-Renamed
14Binary string residualsBinary strings scan-Swept
15Build config definesMemory scan-Renamed
16Asset directory libdir/fridaPath inspection-Renamed

Options

--version, -v    Frida version to build (required)
--name, -n       Custom name replacing 'frida' (default: ajeossida; use random for stealth)
--arch, -a       Target arch (default: android-arm64)
--port, -p       Custom listening port (default: 27042)
--extended, -e   Enable extended anti-detection (vectors 9-16)
--temp-fixes     Stability fixes (perfetto skip, cloak detach)
--verify         Scan output for residual 'frida' strings
--skip-build     Apply patches only, don't compile
--skip-clone     Use existing source in work-dir
--ndk-path       Path to existing Android NDK r29

Deploy

# Push to device
adb push output/myserver-server-17.7.2-android-arm64 /data/local/tmp/myserver-server
adb shell chmod 755 /data/local/tmp/myserver-server

# Start (default port 27042)
adb shell /data/local/tmp/myserver-server -D &
frida -U -f com.example.app

# Start (custom port)
adb shell /data/local/tmp/myserver-server -D &
adb forward tcp:27142 tcp:27142
frida -H 127.0.0.1:27142 -f com.example.app

Each weekly release includes a build-info.json with the name, port, version, and architecture.

Build Phases

  1. Source patches: Global string replacement across the entire Frida source tree. Renames all frida-agent, frida-helper, frida-server, re.frida.* references. Rebuilds Android helper DEX with renamed Java package.

  2. Targeted patches: Specific fixes for build system files (meson.build), memfd names, libc hook disabling, SELinux labels.

  3. Post-build patches: After first compilation, renames frida_agent_main symbol (generated by Vala compiler, only exists in build output). Requires a second incremental build.

  4. Binary patches: Hex-level replacements in compiled binaries — thread names (gmain, gdbus, pool-spawner), and optional binary string sweep for residual frida/Frida strings.

Architecture

build.py                Main build script (clone, patch, compile, collect)
patches.py              All patch definitions (87 patches + 17 rollbacks)
namegen.py              Random name/port generator for stealth builds
build-wsl.sh            WSL helper script
test_comprehensive.js   Anti-detection + Java bridge verification script
.github/workflows/
  build.yml             Manual build workflow
  scheduled-build.yml   Weekly auto-build with releases

Requirements

  • Ubuntu 22.04+ (WSL works)
  • Python 3.10+
  • Git, curl, unzip, make
  • ~20 GB free disk space
  • Android NDK r29 (auto-downloaded)

Version Support

FridaStatus
17.xFully verified against source
16.xCompatible (auto-detects API differences)

Tested Apps

Verified on arm64 Android 14 device with --extended:

AppJava bridgeHooksAnti-detection
Telegram28,772 classesSSL+cryptoAll clean
Google Play Store47,305 classesActivity hooksAll clean
Facebook54,064 classesBasic hooksAll clean
Magisk27,737 classesActivity hooksAll clean

Known Limitations

  • arm32 apps (Chrome): Frida upstream bug #2878invalid instruction in _patchCode. Not a phantom-frida issue.
  • D-Bus interface names (re.frida.HostSession17 etc.): Intentionally NOT renamed in base mode. These are the client-server protocol — renaming server-side would break standard frida client. Not a detection vector (only visible over USB/TCP channel).

Credits

  • Frida by Ole Andre Ravnas
  • ajeossida by hackcatml — original stealth Frida concept
  • Detection vector research from the Android security community

License

MIT