A new Android attack technique identified by CloudSEK researchers manipulates the runtime environment rather than modifying apps, using the LSPosed framework to interfere with system‑level processes and hijack legitimate payment apps without changing their code or triggering standard security checks.
The method targets the underlying operating system, enabling malicious modules to intercept and alter communications between apps and the device, so app signatures stay valid and protections such as Google Play Protect are bypassed. The technique has been linked to a module known as "Digital Lutera," which exploits Android APIs to intercept SMS messages, spoof device identities and extract real-time two-factor authentication data.
At the centre of the attack is the breakdown of SIM‑binding, a security feature used in mobile payments, with attackers intercepting SMS verification tokens, spoofing phone numbers, injecting fake SMS records and coordinating actions via real‑time command servers. CloudSEK noted that this enables real-time fraud orchestration and scalable account takeovers, including the ability to reset payment PINs and transfer funds without the victim’s awareness, with activity observed on Telegram.