Android exploit targets payments without app tampering

A newly identified Android attack technique that alters the operating environment rather than modifying applications has raised fresh concerns over the resilience of mobile payment systems, with researchers warning that conventional app-level protections may no longer be sufficient.

Security analysts at CloudSEK have detailed a method that leverages a framework known as LSPosed to manipulate how Android apps behave at runtime. Instead of injecting malicious code directly into banking or payment applications, the technique hooks into the system layer, allowing attackers to intercept and modify sensitive processes without leaving obvious traces within the apps themselves.

The approach marks a shift in the threat landscape, where financial malware has traditionally relied on repackaging legitimate apps or deploying overlay attacks to trick users into entering credentials. By targeting the runtime environment, attackers can bypass security mechanisms embedded within apps, including root detection, anti-tampering controls, and transaction verification checks.

Researchers say the technique exploits Android’s modular architecture, which permits system-level customisation through frameworks often used by developers and enthusiasts. LSPosed, built on the Xposed framework, enables code injection into running processes, allowing attackers to hook specific functions and alter their output. In this case, malicious actors can intercept payment flows, manipulate transaction data, or extract sensitive information such as authentication tokens and one-time passwords.

CloudSEK’s findings indicate that the attack can be deployed on rooted devices or devices where security restrictions have been weakened, either intentionally or through prior compromise. Once installed, the malicious module can remain persistent and operate silently, evading detection by most antivirus tools that focus on application-level anomalies.

Cybersecurity experts note that the implications extend beyond individual users to financial institutions and payment platforms that rely heavily on app-based security controls. Many banking applications incorporate runtime integrity checks and encryption safeguards, but these defences assume the underlying operating system remains trustworthy. By subverting that assumption, attackers gain a strategic advantage.

Industry observers highlight that the method could be used to carry out unauthorised transactions, redirect payments, or harvest credentials at scale. While no widespread exploitation has been publicly confirmed, the technique demonstrates a level of sophistication consistent with organised cybercrime groups that target mobile banking ecosystems.

The development comes amid a broader rise in mobile-focused cyber threats, driven by the growing adoption of digital payments across emerging and developed markets. Smartphones have become central to financial activity, with users relying on them for banking, e-commerce, and peer-to-peer transfers. This concentration of financial data has made mobile platforms an attractive target.

Android, which dominates global smartphone market share, has long faced scrutiny over fragmentation and inconsistent security updates. Although Google has introduced measures such as Play Protect, hardware-backed security modules, and stricter app permissions, system-level attacks remain difficult to mitigate, particularly on devices that are no longer supported with regular updates.

CloudSEK researchers have emphasised that the attack does not require modifying the target application, making it harder for developers to detect or prevent using conventional techniques. The absence of code tampering also reduces the likelihood of triggering integrity checks that many apps use to identify compromised environments.

Security professionals suggest that mitigation will require a combination of measures, including stronger device attestation mechanisms, enhanced monitoring of runtime behaviour, and improved user awareness. Financial institutions may need to incorporate server-side anomaly detection to identify suspicious transactions that bypass client-side safeguards.

The findings also underscore the risks associated with rooted devices and unofficial modifications, which can expose users to elevated threats. While rooting provides greater control over device functionality, it also removes critical security barriers designed to protect sensitive operations.

Regulators and industry bodies have been increasingly focused on strengthening mobile payment security, particularly as digital transactions expand across sectors. The emergence of system-level attack techniques may prompt a reassessment of existing standards and encourage the adoption of more robust, hardware-based protections.