Okay LogoOkay Logo

The latest news in overlay attacks



Some times it feels like security vendors are fighting an endless battle against malware creators who come up with new exploits. A common goal for malware authors is to find new ways of stealing user credentials and passwords, so that criminals can hijack accounts and even do fraudulent transactions. The mechanisms used to do this has gone under several different names: Tapjacking,

On Android there is an additional challenge when trying to implement a secure application: Users might have handsets running everything from Android 2.3 from 2010, to the latest 8.0 beta release from 2017. All of these releases have different security vulnerabilities, which can be exploited in various ways.

A good example of this is Tapjacking: Up until Android versions up to 4.0.3 was an easy attack vector. With Tapjacking any application holding the SYSTEM_ALERT_WINDOW permission could display their own “system alerts” with custom look and custom duration. This can be used to display text on top of a transaction which is supposed to be verified, or even show a fake password input on top of a running app. This could be done from any running app, even without having root access on the device, and was an obvious major security hole. With Android 4.3 the floating windows could not be touchable, and with Android 5.0 easy access to this permission was reduced, and users had to manually set which apps had the “Permit drawing over other apps” permission.

Now in 2017 Tapjacking is making a return. According to  the SYSTEM_ALERT_WINDOW permission can be set for devices running Android 6.0.1 and newer, as long as the app was downloaded from Google Play. According to Check Point, 74% of ransomware, 57% of adware, and 14% of banker malware abuse this permission as part of their operation. So, this is clearly not a minor threat, but an actual tactic used in the wild.

Of course, the Google Bouncer, which scans all apps published on Google Play might provide some protection, but this is somewhat of a false hope: There are lots of ways that an application might encrypt parts of their application and circumvent the scan. Also, at least 25% of devices in users’ hands are still running Android 4.3 and older versions, which still have obvious vulnerabilities as described above.

How does the Protectoria PSMP solution protect your app? Firstly, we have active protection against overlays, customized to every major version of Android. If it is not possible to detect an active app trying to draw on top of the app we still have a couple of ways to detect any tampering:

  • User interfaces are built from just-in-time received unique code blocks, which limits the time malware has to modify the application.
  • All user interfaces shown to the user is watermarked. A screenshot is taken, and this watermark is then checked on the server-side.
  • We have custom keyboards and PIN entry solutions, which can be randomized so that malware which records touch events can’t know exactly what the user is entering.

The PSMP solution is based on a fundamental assumption: That devices are infected with malware, and that the malware can have root access. With root access it is very hard to protect against overlays – in the worst case scenario the malware might draw directly on the framebuffer, without going through normal OS mechanisms. There is no known malware which uses mechanisms like this today, but the PSMP solution is designed to be as future-proof as possible.

To learn more about Protectoria’s innovative security mechanisms please see the whitepapers available on our .