New Android Attack Uses LSPosed Framework to Bypass Mobile Payment Security
CloudSEK researchers have uncovered an Android attack technique that uses the LSPosed framework to manipulate the runtime environment manipulation, enabling attackers to hijack payment apps without modifying code or triggering Google Play Protect.
CloudSEK researchers have identified a novel Android attack technique that manipulates the runtime environment rather than modifying applications, allowing attackers to bypass mobile payment security without altering app code or triggering standard security checks.
The method, discovered by CloudSEK researchers, uses the LSPosed framework to interfere with system-level processes, enabling malicious modules to intercept and alter communications between apps and the device. This approach differs from earlier attacks that relied on repackaged APKs, as app signatures remain valid and protections such as Google Play Protect are bypassed.
The technique has been linked to a module known as 'Digital Lutera,' which exploits Android APIs to intercept SMS messages, spoof device identities, and extract two-factor authentication (2FA) data in real time. At the center of the attack is the breakdown of SIM-binding, a key security feature used in mobile payment systems that typically ensures a bank account is tied to a physical SIM card and device.
Attackers undermine this mechanism by intercepting SMS verification tokens, spoofing phone numbers via system APIs, injecting fake SMS records into device databases, and using real-time command servers to coordinate actions. By combining a compromised victim device with a manipulated attacker device, fraudsters can trick bank servers into believing the victim's SIM is present elsewhere, allowing unauthorized account access and transaction approvals.
CloudSEK noted that this method has a substantial impact, enabling real-time fraud orchestration and scalable account takeovers. Attackers can reset payment PINs and transfer funds without the victim's awareness. Activity linked to the operation has also been observed on Telegram, where attackers appear to share intercepted login data and coordinate access attempts. One channel analyzed during the research contained more than 500 login-related messages, indicating the technique is already being used in active campaigns.
The attack also exposes weaknesses in existing trust models. Banks often rely on SMS headers and device signals as proof of authenticity, assumptions that this method effectively breaks. Additionally, the use of persistent system-level modules makes detection and removal difficult; even reinstalling affected apps does not eliminate the threat, as the malicious hooks remain active within the operating system.
To mitigate risks, experts recommend stronger integrity checks, including hardware-based verification and stricter backend validation of SMS delivery. Moving away from device-reported data toward carrier-level confirmation is also seen as critical in countering this evolving threat.