Sending SMS And Dialing Numbers without User Consent
Sending SMS does not require context or user interaction. A simple call does the job, as shown in following Listing
SmsManager.getDefault().sendTextMessage(phoneNumber, null , message, null , null);
In order to make calls from the Javascript bridge without user consent, we can invoke the telephony service to dial numbers directly via binder, as shown in Listing 2, where phone is the remote Android telephony service and the number 2 represents the second remote call. s16 is the type marker represents “16 bit string”, and packageName is the host app’s package name, where we can obtain from the information posted from the ad libraries. The sequence number of the remote calls can be found in the corresponding Android Interface Definition Language (AIDL) files [11]. Many other Android services can be invoked in the same way, including sending SMS. . (通过逆向相应platform的classes.jar,)
Runtime.getRuntime().exec(”service call phone 2 s16 ” + packageName + ” s16 ”????? + phoneNumber);
Sending SMS And Dialing Numbers without User Consent(Context is not needed)