Okay LogoOkay Logo
Go back to Okay blog

The Latest News in Overlay Attacks

First published: 15/11/2018

updated: 22/10/2022


Security vendors are fighting an endless battle against malware creators. Their most common goal is often finding new ways of stealing user credentials and passwords, so that criminals can hijack accounts and do fraudulent transactions. How can the Okay SCA solution protect your app from this? Read on.


On Android, there is a huge challenge when trying to implement a secure application. This is because users have a large variety of OS systems running (often not updated), ranging from Android 2.3 in 2010 to the latest 8.0 beta release in 2017. All of these releases have different security vulnerabilities, which can be exploited in various ways.

A good example of this is Tapjacking. Android versions up to 4.0.3 were an easy attack vector. With Tapjacking, any application holding the SYSTEM_ALERT_WINDOW permission could display their own “system alerts” with a custom look and duration.

This was used to display text on top of a transaction which needed to be verified by showing a fake password input on top of a running app. This could be done from any running app, even without having root access on the device - an major security hole.

With Android 4.3, the floating windows were not touchable, and with Android 5.0, easy access to this permission was reduced, and users had to manually set which apps had the “Permit drawing over other apps” permission.

But in 2017, Tapjacking made a return. According to the SYSTEM_ALERT_WINDOW, permission can be set for devices running Android 6.0.1 and newer, as long as the app was downloaded from Google Play. According to Check Point, 74% of ransomware, 57% of adware, and 14% of banker malware abuse this permission as part of their operation. This is clearly not a minor threat, but an actual tactic used in the wild.

Of course, the Google Bouncer, which scans all apps published on Google Play, might provide some protection. But this is somewhat of a false hope as there are lots of ways an application may encrypt certain parts and circumvent the scan. Also, at least 25% of devices in users’ hands are still running Android 4.3 and older versions, which still have obvious vulnerabilities as described above.

Okay Protection

So how does the Okay SCA solution protect your app?

First, we have active protection against overlays, customised to every major version of Android. If it is not possible to detect an active app trying to draw on top of the app, we still have a couple of ways to detect any tampering:

  • User interfaces are built from just-in-time received unique code blocks, which limits the time malware has to modify the application.
  • All user interfaces shown to the user is watermarked. A screenshot is taken, and this watermark is then checked on the server-side.
  • We have custom keyboards and PIN entry solutions, which can be randomised so that malware that records touch events can’t know exactly what the user is entering.

The PSMP solution is based on a fundamental assumption: That devices are infected with malware, and that the malware can have root access.

With root access it is very hard to protect against overlays – in the worst-case scenario, the malware might draw directly on the frame-buffer, without going through normal OS mechanisms. There is no known malware that uses mechanisms like this today, but the PSMP solution is designed to be as future-proof as possible.

Remember, Okay’s innovative security mechanisms are here to not just help protect user-information, but assist banks and PSPs with the appropriate PSD2 regulation regarding SCA. Read more about how the Okay solution works or book a demo today.

Follow us on LinkedIn