Detection Techniques for Xposed Installer and Cydia Substrate on Android

Background: Data has become a critical production material in the 21st century, leading to fierce competition and the emergence of gray‑market tools such as data brokers, crawlers, and cheat software. With the rise of mobile Internet, these threats have shifted from web pages to Android apps, where frameworks like Xposed Installer and Cydia Substrate are used to hook app functions.

Xposed Installer – Principle

Android apps are spawned by the Zygote process, which clones a Dalvik/ART VM instance for each new app. After Zygote forks, the XposedBridge.jar can be loaded into every app process. The installer replaces the system app_process and uses Java reflection to override built‑in methods, enabling method hooking.

Hook and Replace

During system startup, Zygote loads XposedBridge.jar and redirects target methods to a native stub hookMethodNative. This stub changes the method’s definition to native and points it to a handler ( xposedCallHandler) which eventually calls handleHookedMethod. The handler looks up a global hookedMethodCallbacks structure to invoke the before/after callbacks of each module. The execution order is:

A.before → B.before → original method → B.after → A.after

.

Detection – Java Layer

Typical Java‑level checks include:

1. Querying the installed package list via PackageManager to see if de.robv.android.xposed.installer is present.

PackageManager pm = context.getPackageManager();
List<ApplicationInfo> apps = pm.getInstalledApplications(PackageManager.GET_META_DATA);
for (ApplicationInfo info : apps) {
    if (info.packageName.equals("de.robv.android.xposed.installer")) {
        // Xposed detected
    }
}

2. Generating a synthetic exception and scanning its stack trace for Xposed‑related class or method names.

try {
    throw new Exception("test");
} catch (Exception e) {
    for (StackTraceElement el : e.getStackTrace()) {
        // inspect el.getClassName() / el.getMethodName()
    }
}

3. Checking whether critical Java methods have been turned into native JNI methods via Modifier.isNative(method.getModifiers()).

4. Reflectively reading fields of the XposedHelper class (e.g., methodCache, fieldCache) to find suspicious entries.

boolean methodCache = CheckHook(clsXposedHelper, "methodCache", keyword);

private static boolean CheckHook(Object cls, String fieldName, String str) {
    // ... reflectively obtain the field and examine its keys ...
}

Detection – Native Layer

Because Xposed can bypass Java checks, native verification is required. The app’s loaded libraries are listed in /proc/self/maps. Scanning this file for entries such as XposedBridge.jar, related .dex, .jar, or .so files reveals the presence of Xposed.

bool is_xposed() {
    FILE *fp = fopen("/proc/self/maps", "r");
    // read lines and look for "XposedBridge.jar"
}

Cydia Substrate – Principle

Cydia Substrate injects hooks via native libraries libsubstrate.so and libsubstrate-dvm.so. Detection mainly relies on native analysis of the process’s memory maps.

Detection Methods for Substrate

1. Dynamic loading detection: read /proc/self/maps and look for libsubstrate.so or libsubstrate-dvm.so. If found, attempt to load the library and resolve the exported function MSJavaHookMethod to confirm malicious injection.

void* lookup_symbol(char* library, char* symbol) {
    void* handle = dlopen(library, RTLD_GLOBAL | RTLD_NOW);
    if (handle) return dlsym(handle, symbol);
    return NULL;
}

2. Signature‑based detection: extract a unique opcode pattern from a known Substrate function (e.g., OpcodeSample) and compare it against the raw bytes of loaded libraries.

#define LOGD(fmt, args...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, fmt, ##args)
void OpcodeSample(int a, int b) {
    int c = a + b;
    LOGD("c=%d", c);
}

Sample signature strings such as "03 20 31 46 42 46 FF F7 ?? EA" and longer patterns are used for fuzzy matching.

Summary

The article presents practical Java‑ and native‑level detection techniques for two prevalent Android hooking frameworks—Xposed Installer and Cydia Substrate. While these methods improve app security, they are only part of a broader defense strategy that should include code hardening, server‑side verification, and a comprehensive security‑in‑depth architecture.