/

Process Injection Detection

Protection Module: ProcessInjection

Detect process injection frameworks and tools that attempt to modify application behavior at runtime.

Available for: Android full (Frida, Xposed, Substrate), Desktop partial (process detection)

How It Works

The Process Injection Detection module identifies instrumentation frameworks and injection tools that attempt to modify application behavior at runtime through code hooking and patching.

Detection Techniques

Android Frida Detection:

  • File-based detection: /data/local/tmp/re.frida.server, frida-agent*.so, frida-gadget*.so (0.8 confidence)
  • Port scanning: port 27042 (0.7 confidence)
  • Library detection: libfrida-gadget.so (0.95 confidence)

Android Xposed Detection:

  • Class detection: de.robv.android.xposed.XposedBridge (0.95 confidence)
  • File-based: /system/framework/XposedBridge.jar (0.85 confidence)
  • Package detection: de.robv.android.xposed.installer, edxposed.manager (0.8 confidence)

Android Cydia Substrate Detection:

  • Library detection: /system/lib/libsubstrate.so (0.8 confidence)

Desktop Tool Detection:

  • Frida process detection (0.9 confidence)
  • Xenos, extremeinjector, dllinjector, ghinjector, cheatengine (0.9 confidence)

Sensitivity Levels:

  • Strict: 0.5 (highest sensitivity)
  • Normal: 0.7 (default)
  • Lenient: 0.9 (lowest sensitivity)

Default detection interval: 30 seconds

Configuration

JSON Configuration

JSON
{
  "protections": [
    {
      "type": "ProcessInjection",
      "action": "close",
      "intervalMs": 30000
    }
  ]
}

Kotlin Configuration

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.addProtection(
        ProtectionModuleType.PROCESS_INJECTION,
        ActionType.CLOSE,
        30000
    )
}

Java Configuration

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.PROCESS_INJECTION,
        ActionType.CLOSE,
        30000
    );
});

Custom Action Configuration

Kotlin
Monitor.configure { config ->
    config.registerCustomAction("my-injection-action") { threat ->
        val threatType = threat.getThreatType()      // String
        val description = threat.getDescription()    // String
        val confidence = threat.getConfidence()      // Double (0.0-1.0)
        val metadata = threat.getMetadata()          // Map<String, Object>

        Log.e("Injection", "Detected: $threatType (Confidence: $confidence)")
    }

    config.addProtection(
        ProtectionModuleType.PROCESS_INJECTION,
        "my-injection-action",
        30000
    )
}

Available Actions

ActionBehaviorRecommended For
CloseTerminate application immediatelyProduction apps with critical IP
LogRecord incident and continueDevelopment, analytics
EraseSecurely delete data then terminateFinancial, healthcare apps
CustomExecute custom handlerEnterprise integrations
NoneDetect only, no actionTesting configurations
BlockBlock the operationNot applicable for this module

See Actions for detailed action documentation.

When to Use

Enable Process Injection Detection when:

  • Protecting against runtime code hooking and patching
  • Detecting instrumentation frameworks like Frida and Xposed
  • Preventing function interception and behavior modification
  • Defending against advanced reverse engineering attempts
  • Protecting sensitive operations from runtime modification
  • Ensuring code execution integrity

Code Examples

Kotlin - Basic Integration

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

class SecurityManager {
    fun initializeInjectionProtection() {
        Monitor.configure { config ->
            config.addProtection(
                ProtectionModuleType.PROCESS_INJECTION,
                ActionType.CLOSE,
                30000
            )
        }
    }
}

Kotlin - Detailed Framework Detection

Kotlin
Monitor.configure { config ->
    config.registerCustomAction("detect-injection-framework") { threat ->
        val threatType = threat.getThreatType()
        val confidence = threat.getConfidence()
        val metadata = threat.getMetadata()

        when (threatType) {
            "frida" -> {
                Log.e("Security", "Frida framework detected!")
                val libraryPath = metadata["libraryPath"] as? String
                val detectionMethod = metadata["detectionMethod"] as? String
                Log.d("Details", "Library: $libraryPath, Method: $detectionMethod")
            }
            "xposed" -> {
                Log.e("Security", "Xposed framework detected!")
                val className = metadata["className"] as? String
                Log.d("Details", "Class: $className")
            }
            "cydia_substrate" -> {
                Log.e("Security", "Cydia Substrate detected!")
                val libraryPath = metadata["libraryPath"] as? String
                Log.d("Details", "Library: $libraryPath")
            }
            "xenos" -> {
                Log.e("Security", "Xenos injector detected!")
            }
            "cheatengine" -> {
                Log.w("Security", "CheatEngine detected (Confidence: $confidence)")
            }
        }
    }

    config.addProtection(
        ProtectionModuleType.PROCESS_INJECTION,
        "detect-injection-framework",
        30000
    )
}

Java - Basic Integration

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

public class SecurityManager {
    public void initializeInjectionProtection() {
        Monitor.configure(config -> {
            config.addProtection(
                ProtectionModuleType.PROCESS_INJECTION,
                ActionType.CLOSE,
                30000
            );
        });
    }
}

Platform Compatibility

PlatformStatusNotes
Android 5.0+✓ Fully SupportedFrida, Xposed, Substrate detection
Android 9+✓ OptimizedEnhanced library scanning
Android 12+✓ OptimizedImproved sandbox detection
Desktop Java◐ PartialProcess injection detection only
Linux◐ PartialProcess-based detection

Performance Impact

  • CPU Impact: 2-3% increase during detection cycles
  • Memory Overhead: ~600 KB for framework signatures
  • Detection Latency: 80-150 ms per cycle
  • Battery Impact: Low to moderate (frequent library scanning)

Threat Detection Details

JSON
{
  "detection": {
    "threatType": "frida",
    "timestamp": "2026-03-03T16:05:18.523Z",
    "description": "Frida instrumentation framework detected",
    "confidence": 0.95,
    "metadata": {
      "detectionMethod": "library_detection",
      "libraryPath": "/data/local/tmp/libfrida-gadget.so",
      "frameworkName": "Frida",
      "serverPort": 27042,
      "injectionMethod": "gadget"
    }
  }
}
JSON
{
  "detection": {
    "threatType": "xposed",
    "timestamp": "2026-03-03T16:06:42.187Z",
    "description": "Xposed framework detected via class inspection",
    "confidence": 0.95,
    "metadata": {
      "detectionMethod": "class_detection",
      "className": "de.robv.android.xposed.XposedBridge",
      "frameworkName": "Xposed",
      "installerPackage": "de.robv.android.xposed.installer"
    }
  }
}
JSON
{
  "detection": {
    "threatType": "cydia_substrate",
    "timestamp": "2026-03-03T16:07:55.412Z",
    "description": "Cydia Substrate injection detected",
    "confidence": 0.8,
    "metadata": {
      "detectionMethod": "library_detection",
      "libraryPath": "/system/lib/libsubstrate.so",
      "frameworkName": "Cydia Substrate"
    }
  }
}

Debugger Detection

Jailbreak Detection

Memory Dump Detection

Tampering Detection

Next Steps

Configure Actions

Custom Actions

Configuration API

Previous
Tampering Detection
Next
Network Tampering