In AppSealing Blog

Advancements in technology and digital connectivity have spurred immense benefits, but they also paved the way for new and inventive methods of cyber-attacks. Among these various methods is a deceptive form known as the Overlay Attack, more commonly referred to as “Screen Overlay Attack” or “Clickjacking”. This attack leverages cunning manipulation of user interface (UI) layers on mobile devices, fooling the user into interacting with illegitimate elements that seem authentic. 

In this article, we are going to delve into the mechanism of this cunning cyber threat, elucidating its technique and impact on the mobile end user. 

What is an Overlay Attack? 

A Screen Overlay Attack, also known as a “Clickjacking” or “Overlay Attack,” is a sophisticated form of cyberattack that capitalizes on the manipulation of User Interface (UI) elements. The perpetrator crafts a deceptive overlay, which could be a completely transparent or visually identical screen, placed on top of a legitimate application screen on a mobile device. 

Screen Overlay attack is particularly deceptive because it blends with the original application’s interface, making it incredibly challenging for the unsuspecting user to identify and thwart the illicit activity. 

The attack technique commences with the attacker inducing the user to grant certain permissions or download a seemingly innocent application that contains the malicious code. Once installed, the attacker can trigger the malicious overlay whenever the user interacts with sensitive apps such as banking or social media applications. 

This illegitimate layer mimics the appearance and functionality of the authentic screen, deceiving the user into believing that they are interacting with the legitimate app. For example, the malicious overlay could imitate a login screen, prompting the user to enter sensitive information like usernames and passwords. Unbeknownst to the user, they are actually entering these details into the fake overlay screen, which the attacker then captures.

Types of Overlay Attacks

Data Harvesting or Input Capture

Data Harvesting or Input Capture is a specific type of Screen Overlay Attack used by cybercriminals to steal personally identifiable information (PII), transaction details, or other sensitive data. The attack focuses primarily on capturing user inputs rather than inducing unwanted clicks or permissions.

In this scenario, the attacker first employs a seemingly benign application embedded with malicious code to establish an illegitimate overlay. Let’s try to understand this.

  1. Downloading the Malicious Application: The user downloads a seemingly harmless application from the app store. The app might appear as a game, a utility tool, or even an antivirus software. However, unbeknownst to the user, this application contains a malicious code that can generate an overlay screen.
  2. Granting Permissions: When the user installs and opens the app for the first time, they are asked for various permissions. One of these might be permission to ‘draw over other apps’ or similar, which the user may unknowingly grant, not realizing the implication.
  3.  Detecting Targeted Application: Once the permissions are granted, the malicious application now runs in the background, monitoring the activity on the device. It is programmed to detect when a targeted application, like a banking or social media app, is launched.
  4. Initiating Overlay: As soon as the user opens a targeted app, the malicious application swiftly creates an overlay screen that mimics the interface of the legitimate app. This overlay screen is designed to capture the user’s input.
  5. Entering User Data: The user, believing they are interacting with the genuine app, inputs their sensitive information such as usernames, passwords, or credit card details. In reality, they are typing this data into the fraudulent overlay screen.
  6.  Capturing and Transmitting Data: The malicious overlay captures this information as the user inputs it. It then quietly transmits the data to the attacker in the background.
  7. Accessing the Information: The attacker receives the sensitive data and can now access the user’s accounts or perform unauthorized transactions, while the user remains unaware of the breach.

This attack can be particularly harmful because it is very difficult for the average user to detect, underscoring the importance of only downloading trusted applications, closely reviewing permissions, and keeping devices updated with the latest security patches.

Mobile Malware Delivery

Mobile Malware Delivery is a nefarious method used by cybercriminals to install malicious software onto a user’s mobile device, leading to potential Screen Overlay Attacks. This strategy frequently targets Android devices, manipulating legitimate functionalities such as Accessibility Services or the ability to install applications from unknown sources.

Here is a detailed step-by-step explanation of how such an attack might unfold:

  1. Downloading the Malicious Application: Typically, the user is tricked into downloading and installing a seemingly harmless application. This can occur through phishing emails, malicious websites, or third-party app stores.
  2. Request for Accessibility Services/Unknown Sources Permission: Once installed, the malicious application prompts the user to enable Accessibility Services or the ability to install apps from unknown sources. This request often comes in the form of a deceptive overlay mimicking a legitimate app or system prompt.
  3. Granting Permissions: The user, believing they are interacting with a genuine app or system function, enables the requested permissions.
  4. Malware Delivery: With these permissions in place, the attacker can now bypass security measures and remotely install malware onto the user’s device. This malware could serve various purposes, from data harvesting to additional exploits such as Screen Overlay Attacks.
  5. Persistent Access: Notably, once Accessibility Services or Unknown Sources are enabled, they remain active until the user specifically disables them. This offers the attacker a persistently open door to deliver additional malware or execute malicious tasks.
  6. Manipulation of App Permissions: In some cases, the attacker may also trick the user into granting further app permissions through another overlay screen. The malware can then abuse these permissions for its illicit activities, enhancing its ability to compromise the device or the user’s data. 

Mobile Privilege Escalation

Mobile Privilege Escalation is a strategic maneuver employed by cybercriminals in a Screen Overlay Attack. By exploiting the trust of unsuspecting users, attackers can escalate the access privileges of a malicious application, broadening its reach on the device and its potential for damage. 

Here’s a step-by-step explanation:

  1. Downloading the Malicious App: As with similar attacks, the process begins with the user unknowingly installing a malicious application, usually disguised as a harmless or attractive app.
  2. Initiating the Overlay: When the user opens a targeted legitimate application, the malicious app initiates an overlay, closely imitating the interface of the legitimate app. The user believes they’re interacting with the genuine application.
  3. Requesting Permissions: The overlaid malicious app then prompts the user to grant certain permissions. These could include access to sensitive device functions or data like the camera, location, microphone, contact lists, SMS, and more.
  4. User Granting Permissions: Thinking they’re providing permissions to a trusted application, the user approves the request.
  5. Exploiting Permissions: Once these permissions are granted, the malicious app gains wide-ranging control over the user’s device. It can use these permissions to access sensitive data, spy on the user’s activities, or manipulate device functions.
  6. Pushing Malicious App to Foreground: In some instances, the malicious app may even hijack legitimate Android tasks, pushing itself into the foreground and further impersonating the genuine app.
  7. Further Permission Requests: In its position in the foreground, the app can request additional permissions from the user, expanding its capability to abuse the device’s resources and data.
  8. Launch of Secondary Attacks: With these permissions secured, the attacker can now launch other attacks or deploy additional malware, thereby escalating the severity of the breach.
  9. Mobile Privilege Escalation through Screen Overlay Attacks presents a significant threat to mobile device security. It underscores the importance of careful management of app permissions, verifying app sources, and maintaining awareness of the potential dangers associated with seemingly benign applications.

Who is Affected by Overlay Attacks?

Screen Overlay Attacks predominantly affect Android devices, particularly those running older versions of the operating system. Only the most recent iteration, Oreo, has implemented robust security measures to fend off such exploits. Previous versions like Nougat have attempted to incorporate certain safeguards, but these have proven to be insufficient.

For instance, Android Nougat introduced a limitation on ‘Toast’ notifications – simple pop-up messages used by apps to display brief information – restricting them to a maximum duration of 3.5 seconds. However, a persistent attacker could circumvent this precaution by setting these notifications to appear in a continuous loop, thereby maintaining the deceptive overlay for extended periods.

Moreover, Toast notifications don’t require the same level of permissions as other types of windows on Android, offering an exploitable loophole for attackers. They can abuse this feature to overlay the entire screen, not just a small pop-up window, enhancing the illusion of authenticity.

How to Manage Overlay Attacks?

Mitigating Screen Overlay Attacks requires a comprehensive defense strategy, emphasizing endpoint protection and user behavior monitoring. The strategy could encompass the following crucial elements:

Identify and Mitigate Threats: 

The first step is to detect the presence of an Overlay Trojan or any other malicious application on the user’s device before sensitive data or functions are exposed. Utilizing advanced anti-malware software and regularly scanning for potential threats can help block these applications before they can do any harm.

Implement Robust Authentication: 

The use of solid, un-phishable authentication methods can also contribute significantly to defense efforts. For example, One-Time Password (OTP) codes should not be displayed if there’s a chance the user could be misled by a malicious overlay. The use of biometric authentication, hardware tokens, or other multi-factor authentication methods could offer enhanced security.

Monitor User Behavior: 

Monitoring anomalies in the interaction with a service can also be a key indicator of potential overlay attacks. Unusual activities that deviate from the typical behavior of a legitimate user should be flagged and investigated. These could include atypical transaction patterns, unusual login times, or interactions with unfamiliar apps or services.

Can API 31 Stop Overlay Attacks?

While API 31 does offer some protection against overlay attacks, it doesn’t entirely eliminate the threat. Both developers and users should continue to adopt comprehensive security practices and remain cautious of potential threats. As with any security feature, it’s an added layer of defense rather than a standalone solution.

Android API 31, introduced with Android 12, has implemented a feature designed to safeguard mobile apps from overlay attacks. This innovation is intended to stop non-system overlays from hiding views within apps on the latest versions of Android, which is a significant step forward in terms of security.

However, to take advantage of this feature, the application’s developer needs to be using API 31 or later. They must also explicitly invoke the method “setHideOverlayWindows(true)” for every activity view they wish to protect. This can be a laborious process, particularly since not all sensitive workflows are directly controlled by the developer, making it somewhat challenging to manage.

Moreover, while the feature is indeed a security enhancement, it’s not foolproof. The method is not resistant to tampering and can potentially be bypassed using conventional mobile app penetration testing or dynamic hacking tools. These are tools designed to evaluate and exploit potential security vulnerabilities within apps, and, unfortunately, the same tools can be used by malicious entities to sidestep this new security measure.

Why Block Overlay Attacks in Android Apps?

The necessity of blocking Screen Overlay Attacks in Android apps primarily stems from both regulatory compliance and the potential harm these attacks can inflict, particularly within regulated industries like financial services, healthcare, and retail.

Laws and regulations in many jurisdictions mandate that organizations protect user data. Therefore, apps operating in these regions must adopt measures to block Overlay Attacks to ensure compliance and avoid penalties or legal consequences.

However, beyond legal requirements, Overlay Attacks pose a significant threat to the security of user data. These attacks are particularly insidious as they often aim for data theft or harvesting, targeting all forms of crucial end-user data. This could range from personal identifiable information (PII), account details, transaction data, to even sensitive healthcare information, depending on the type of app being exploited.

To illustrate, let’s consider an Overlay Attack on a mobile banking app. A successful attack could potentially compromise a range of critical data, including usernames, passwords, account numbers, credit card information, ATM pin codes, and answers to security questions. If this data falls into the wrong hands, the user could face severe financial loss, identity theft, and other serious repercussions.

Similarly, apps that facilitate mobile purchases or transactions also carry a heightened risk. Any unblocked Overlay Attack on such platforms puts a wealth of sensitive user data at risk.

Therefore, it’s not just beneficial but also critical to block Overlay Attacks in Android apps. Doing so protects users, maintains trust, ensures regulatory compliance, and helps safeguard the integrity of the app and the organization behind it.

Govindraj Basatwar, Global Business Head
Govindraj Basatwar, Global Business Head
A Techo-Commerical evangelist who create, develop, and execute a clear vision for teams. Successfully created a SaaS business model with multi Million Dollar revenues globally. Proven leadership track record of establishing foreign companies in India with market entering strategy, business plan, sales, and business development activities.