CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Android OS-level manipulation enables bypass of mobile payment security controls via system API abuse

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

An Android runtime manipulation technique leveraging the LSPosed framework has been disclosed, enabling attackers to intercept, spoof, or inject data at the OS level to bypass mobile payment protections such as SMS-based 2FA, SIM-binding, and app integrity checks. The attack targets legitimate payment apps without code modification, retaining valid signatures and evading Google Play Protect. Malicious modules like "Digital Lutera" hook system APIs to intercept SMS 2FA tokens, spoof device identities, and manipulate device databases in real time. By combining a compromised victim device with a manipulated attacker-controlled device, fraudsters exploit weakened SIM-binding and backend trust models to authorize unauthorized transactions and reset payment PINs without user awareness.

Timeline

  1. 17.03.2026 18:30 1 articles · 3h ago

    Android system-level manipulation via LSPosed enables real-time bypass of mobile payment security controls

    A new Android runtime manipulation technique using the LSPosed framework allows attackers to intercept, spoof, or inject data at the OS level, bypassing app integrity checks, Google Play Protect, and SMS-based 2FA. The method exploits system APIs to manipulate SMS delivery, device identity, and device databases in real time, undermining SIM-binding and backend trust models used by financial institutions. Malicious modules such as "Digital Lutera" are deployed to enable account takeovers, PIN resets, and unauthorized transactions without user awareness.

    Show sources
    Open in new tab

Information Snippets

  • Attack vector uses LSPosed framework to inject malicious modules into Android runtime, enabling OS-level interception of app-to-system communications without modifying application code or APKs.

    First reported: 17.03.2026 18:30
    1 source, 1 article
    Show sources

  • Malicious module "Digital Lutera" targets Android APIs to intercept SMS 2FA tokens, spoof phone numbers via system APIs, and inject fake SMS records into device databases in real time.

    First reported: 17.03.2026 18:30
    1 source, 1 article
    Show sources

  • Technique undermines SIM-binding, a security control that ties bank accounts to a physical SIM and device, by manipulating SMS verification tokens and device signals.

    First reported: 17.03.2026 18:30
    1 source, 1 article
    Show sources

  • Fraudsters coordinate actions via real-time command servers and exploit a victim device alongside a manipulated attacker device to trick bank servers into believing the victim’s SIM is present elsewhere.

    First reported: 17.03.2026 18:30
    1 source, 1 article
    Show sources

  • Attack enables scalable account takeovers, including PIN resets and unauthorized fund transfers, without victim awareness; activity observed on Telegram channels with over 500 login-related messages.

    First reported: 17.03.2026 18:30
    1 source, 1 article
    Show sources

  • Detection is difficult due to persistent system-level hooks; reinstalling apps does not remove the threat as malicious modules remain active in the OS.

    First reported: 17.03.2026 18:30
    1 source, 1 article
    Show sources

  • Mitigations proposed include hardware-based integrity checks, stricter backend validation of SMS delivery, and reliance on carrier-level confirmation instead of device-reported data.

    First reported: 17.03.2026 18:30
    1 source, 1 article
    Show sources