As mentioned in https://developers.google.com/identity/sms-retriever/verify#computing_your_apps_hash_string
The valid sms OTP verification message looks like -
Your ExampleApp code is: 123ABC78
FA+9qCX9VSu
The encoded hash code FA+9qCX9VSu is being generated from app via class AppSignatureHelper and sent from app to backend to be retrieved in SMS.The OTP sms is auto read and working fine .
There are many cases in which the hashcode recieved is not what app would generate (e.g.CI427IRTSPC) and seems to be from fishy/malicious source .
Is there any way by which backend code can validate obtained hashcode ?