Behind the SMS Bombing Application
Almost everyone has used or has been a victim of SMS/Call bombing attacks.
SMS bombing or call bombing has been around for a long time now.
What is SMS Bombing?
SMS Bombing is an attack through which people use to send messages like OTPs, random texts, and calls without any restrictions to anyone. People generally use this attack to prank or to disturb their known ones.
The attacker generally uses some sort of script or application with vulnerable APIs (without rate limit) to carry out these attacks. Nowadays there are hundreds of websites/applications for SMS Bombing.
Once the attack is placed, the victim receives hundreds of messages within a minute depending upon the speed of the bomber.
What causes SMS Bombing?
Generally, the OTP APIs being used which are vulnerable to Rate Limiting attacks i.e not checking the number of OTPs being sent, are used to build these scripts or applications.
The Story
Recently I saw many posts about an SMS bombing application on multiple Facebook groups.
So I thought why not have a look into it for once?
After looking into the comments I was able found the link to download the application.
The application was called Flash Bomber.
Before running anything on my own device, why not check this on emulator?
Application was not allowing Wifi Connection.
Reversing the application
Upon looking we can get the classes and methods for the checks
Lit804 = new FString("com.google.appinventor.components.runtime.WiFiAdmin");Over-riding with frida
Similarly, it had multiple checks such as SSL Pinning, Root Check, ADB check, IsRoSecureRoKernelQemu, Emulator and Sniffer Check-
So, I used same method in frida to bypass above checks.
Now we can check the application requests through burp.
Upon starting the application it registers the device using the email ID provided by the user.
So it was saving the device information along with email to Airtable database.
Now lets start the bomber.
For starting the bomber it asks for Key which was already disclosed in groups. Key- flashop
It saves the number with the email along with time when someone starts the bomber.
What’s the point of the Anonymous messaging bombing if the app is saving your details every time you run?
Anyways, let’s continue -
Interestingly the app was fetching the saved details and the Airtable API itself didn’t have any restrictions to fetch the data.
So one can fetch all the details from the database.
The Auth Bearer token is in the App Itself .
Similarly for Device
For dumping all data, a small python script can be used for adjusting offset accordingly.
Output
Also one can easily get the API being used for SMS API as it’s saved in the app itself.
