A new Android attack technique that manipulates the runtime environment instead of modifying applications has been identified.

The method, discovered by CloudSEK researchers, uses the LSPosed framework to interfere with system-level processes, allowing attackers to hijack legitimate payment apps without altering their code or triggering standard security checks.

This approach differs from earlier attacks that relied on repackaged APKs. Instead, it targets the underlying operating system, enabling malicious modules to intercept and alter communications between apps and the device. As a result, app signatures remain valid and protections such as Google Play Protect are bypassed.

The technique has been linked to a module known as "Digital Lutera," which exploits Android APIs to intercept SMS messages, spoof device identities and extract two-factor authentication (2FA) data in real time.

Exploiting SIM-Binding and System APIs

At the centre of the attack is the breakdown of SIM-binding, a key security feature used in mobile payment systems. This process typically ensures that a bank account is tied to a physical SIM card and device.

Attackers undermine this mechanism by:

• Intercepting SMS verification tokens

• Spoofing phone numbers via system APIs

• Injecting fake SMS records into device databases

• Using real-time command servers to coordinate actions

By combining a compromised victim device with a manipulated attacker device, fraudsters can trick bank servers into believing the victim's SIM is present elsewhere. This allows unauthorised account access and transaction approvals.

Read more on mobile payment security: Ghost Tap Malware Fuels Surge in Remote NFC Payment Fraud

Large-Scale Fraud Risk

CloudSEK noted that this method has a substantial impact. It enables real-time fraud orchestration and scalable account takeovers, with attackers able to reset payment PINs and transfer funds without the victim's awareness.

Activity linked to the operation has also been observed on Telegram, where attackers appear to share intercepted login data and coordinate access attempts. One channel analyzed during the research contained more than 500 login-related messages, indicating the technique is already being used in active campaigns.

The attack also exposes weaknesses in existing trust models. Banks often rely on SMS headers and device signals as proof of authenticity, assumptions that this method effectively breaks.

Additionally, the use of persistent system-level modules makes detection and removal difficult. Even reinstalling affected apps does not eliminate the threat, as the malicious hooks remain active within the operating system.

To mitigate risks, experts recommend stronger integrity checks, including hardware-based verification and stricter backend validation of SMS delivery. Moving away from device-reported data toward carrier-level confirmation is also seen as critical in countering this evolving threat.