Step-by-Step Guide to Using Xposed for Hooking Android Apps and Modifying the IMEI

1. Background

xposed is familiar to many Android security and reverse‑engineering practitioners; it is often used to analyze and intercept app functions. This article uses xposed to modify an app's IMEI as a simple introductory example, showing how to write a custom hook module and mentioning other application scenarios.

2. Environment Requirements

Phone system: Android 4.4.4‑8.0 Phone environment: must be rooted Test environment: Nexus 6P (Android 7.1.2)

3. Required Files for Xposed Environment Configuration

Third‑party recovery: twrp-3.2.1-1-hammerhead.img Root manager: SR5‑SuperSU‑v2.82‑SR5‑20171001224502.zip Xposed framework: xposed‑v89‑sdk25‑arm64.zip Hook module manager APK: XposedInstaller_3.1.4.apk

4. Installing the Xposed Framework

4·1 Flash Third‑Party Recovery (twrp)

Download the appropriate TWRP image for your device from https://twrp.me/Devices/, push it to the phone’s sdcard root, then execute:

adb reboot bootloader
fastboot flash recovery twrp-3.2.1-1-hammerhead.img
# Do not reboot; directly select recovery mode with volume keys

After flashing, the TWRP interface appears.

4·2 Flash Xposed Framework

In TWRP, choose Install and select xposed‑v89‑sdk25‑arm64.zip.

4·3 Install Root Management Tool

Push SR5‑SuperSU‑v2.82‑SR5‑20171001224502.zip to sdcard root and flash it similarly.

4·4 Install Xposed Installer

Install via ADB: adb install XposedInstaller_3.1.4.apk

5. Writing the Hook Module

After the environment is ready, create a hook module to alter the Device Id app’s IMEI.

5·1 Create an Empty Android Project

5·2 Add Meta‑Data to AndroidManifest.xml

5·3 Import Xposed API Library

Copy XposedBridageApi.jar to app/libs and add it via build.gradle .

5·4 Write the Hook Entry Class (MainHook)

5·5 Configure the Hook Module Entry

Create assets/xposed_init under app/src/main/ and place the fully‑qualified name of the entry class.

6. Implementing the Hook Code

6·1 Locate the Target Method

The target is the method that returns the IMEI; reverse‑engineering shows it is acr.c(Context) .

6·2 Complete Hook Code

package com.phone.fakeimei;
import android.content.Context;
import android.util.Log;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
public class MainHook implements IXposedHookLoadPackage {
private static final String TAG = "fakeimei";
// Only hook the target app "Device Id"
public static String needHookApp = "com.evozi.deviceid";
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
if (!loadPackageParam.packageName.equals(needHookApp)) {
return;
}
Log.d(TAG, "Found target app: " + loadPackageParam.packageName);
Class
acrClazz = XposedHelpers.findClassIfExists("acr", loadPackageParam.classLoader);
if (acrClazz != null) {
Log.d(TAG, "Found target class: " + acrClazz.getSimpleName());
XposedHelpers.findAndHookMethod(acrClazz, "c", Context.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
super.beforeHookedMethod(param);
// Modify arguments if needed
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
super.afterHookedMethod(param);
String realImei = (String) param.getResult();
String fakeImei = "123456789";
Log.d(TAG, "Real IMEI: " + realImei + ", Fake IMEI: " + fakeImei);
param.setResult(fakeImei);
}
});
}
}
}

6·3 Build and Deploy the Hook Module

Compile the project into an APK, enable the module in Xposed Installer, and reboot the device (soft reboot may not work on Android 7.0).

7. Hook Effect After Module Activation

8. Other Applications of Xposed

Xposed can be used for many purposes beyond IMEI spoofing, such as protecting personal privacy by returning fake data for sensitive APIs, enabling “one‑click new device” tricks for gray‑market activities, and automating ad removal or simulated clicks in various apps.

8·1 Protect Personal Privacy

Hook APIs that expose phone number, contacts, call logs, or SMS content to return empty or dummy values, thereby preventing unwanted advertising or spam.

8·2 Gray‑Market “One‑Click New Device”

Combine Xposed with device‑simulation plugins to make a single phone appear as many distinct devices, a technique used by “sheep‑farming” groups to harvest e‑commerce subsidies.

8·3 Ad Removal and Automated Interaction

Use Xposed to block ads, simulate clicks, or automate reward‑based actions in various applications.

END