Over the past few years screen overlay attacks, common in web apps for years, have grown to become a major threat to mobile apps. In particular, overlay attacks are often used in mobile fraud campaigns, where they are combined with social engineering techniques and specially crafted malware. The goals of an overlay attack may vary, but they generally fall into several main categories: (1) tricking users to unknowingly divulge sensitive data to an attacker (2) tricking users to enable backdoors that can be used later to update malware or to infiltrate a system, environment or network or (3) tricking users to perform actions which grant elevated privileges or permissions to the malware (or whoever controls the malware). Whatever the goal, overlay attacks always involve trickery, and they always involve the abuse or exploitation of normal application, platform or OS functions or behaviors.
What is a Screen Overlay Attack?
A Screen Overlay Attack (sometimes also called Clickjacking) is an attack method that uses multiple transparent or opaque layers to trick users to interact with malicious or hidden content or malware. The user is tricked into performing an action that they believe is beneficial or desirable to them, but in reality, the action actually benefits the attacker (or the malware controlled by the attacker). The trickery is accomplished with the help of malware on the user’s device, which either imitates, hijacks or covers a portion of the legitimate app. In fact, the overlay malware has usually been specifically designed (or updated via a trojan dropper) to exploit a legitimate target application by abusing normal features or functions of the target app or environment, using information learned from monitoring the user’s behavior or listening for OS signals or system events.
How Does Overlay Malware Work?
Some overlay malware works by tricking the user to approve/grant ‘app permissions’ to the malware app, which the user thinks they are approving for the legitimate app. The permissions granted can be a wide range of things that can be used maliciously, such as access to the camera, location, microphone, contacts/phonebook, or features such as debug mode, accessibility services, or Allow Unknown Sources, all of which can be used by an attacker for malicious reasons (stealing data, intercepting pin codes, gaining root access, account takeovers, or even taking control over the app or device entirely).
Mobile malware is often hidden inside fake versions of popular utility or productivity apps that run in the background (like a battery life extender, or system update app, a barcode scanner).
There are many different variants of screen overlay attacks. I’ll describe some of the more common variants of screen overlay attacks, and the types of fraud they are used for. I’ll also explain how fraudsters typically combine multiple attack techniques or methods in order to enhance the effectiveness and credibility of their attacks. The more believable an attack is, the higher the likelihood of success.
Some recent examples of overlay malware in the wild are Anubis, BankBot, StrandHogg, BlackRock, Cloak&Dagger, Ghimob, Ginp, and MazarBot.
Top Screen Overlay Attack Methods Used By Fraudsters
1. Data Harvesting/ Data Theft
When used for the purpose of data theft, screen overlay attacks generally involve tricking a mobile user to interact with a fake or modified UI screen that imitates something that the user trusts (like the login screen of their bank). The fake screen overlay may either cover the real app screen (hiding it from the user’s view), or redirects the user to a malicious copy of the login screen (using a webview for example). Then the victim is tricked into entering information (usually sensitive info like banking credentials, pin codes, or answers to “security questions”) they believe is being transmitted to the trusted site, but in reality, it’s being transmitted directly to the attacker.
This variant of screen overlay attacks often targets mobile banking, fintech, e-commerce, gaming, or retail apps.
2. Infiltration and Malware Delivery
In other variants of screen overlay attacks, the fraudster may not be after information, but they might instead want to create a ‘backdoor‘ that they can access and exploit in the future. The backdoor might be used for things like malware delivery/updates, command and control (C&C) of a botnet, or infiltration of a protected network or server. For example, Android Allow Unknown Sources * is an Android OS setting that allows a user to install apps outside of the Google Play store or programs that may not be trusted or known to be safe As part of the overlay attack, the fraudster might trick the user into enabling Allow Unknown Sources on an Android device by superimposing a fake button on top of the real button and then tricking the user to click on it, or by masquerading an app that the user previously downloaded, which requests multiple permissions (one permission request to Allow Unknown Sources, and another permission request to install future apps downloaded to the device).
By tricking the user to turn on “Allow Unknown Sources”, the attacker now has an easy way to deliver malware onto the mobile device in a way that bypasses Google Play security measures, doesn’t require additional permission requests from the user, and can be fully automated. Once this feature is enabled, it stays enabled until someone explicitly turns it off. And since the user did not actually know they just turned this feature on in the first place, they would have no reason to turn it off.
3. Privilege Escalation – via Android Accessibility Services and App Permissions Abuse
Bad actors and fraudsters also use overlay attacks as a means to elevate administrative privileges or to gain remote control capabilities for themselves by tricking mobile users to enable powerful functions such as Accessibility Services or by tricking users to grant app permission requests to a malicious app running in the background. There are many sub-variants of this attack technique, and they all abuse different methods. Sometimes the malicious fake app hijacks the real app (by abusing legitimate functions like Android “tasks“), and pushes itself into the foreground. It then impersonates the real app and requests permissions from the user. If the user approves the permissions (which they usually do), the permissions are used by the malware or malware creator for malicious purposes.
Real-World Example – Screen Overlay Attack Which Misuses Android Toast Notifications
Here’s a real-life example of a screen overlay attack discovered by Palo Alto Networks which exploited the Android “Toast Notifications” function. Toast notifications is an Android OS feature that is used to display short-lived messages and notifications as a ‘floating window’ at the top or bottom of the screen for a short period of time before disappearing. Here’s an example of a toast notification that displays while the user sends an email.
Toast notifications can be exploited in screen overlay attacks when attackers understand when and how they are triggered, where they appear on the screen, and for how long – all of which they can easily learn by inspecting the code (static analysis) and/or running the app and observing its behavior (dynamic analysis). Once they know this, the attacker can overlay their own fake button on top of the toast notification and trick the user into clicking on the malicious content.
In the example shown below, the user is tricked into thinking that they are installing a mandatory security patch. But in reality, they are actually activating malware and approving app permissions that give the attacker control over the device and their data.
The fake “security patch” screen (on the left) is placed on top of the real screen (on the right) which is actually a malware activation screen. The user thinks they are clicking ‘Continue’ to install a security patch. But they are actually clicking the ‘Activate’ button (hidden underneath the fake screen) which activates the malware AND grants permissions to the malware/attacker. The attacker can then use those permissions to (1) lock the user out of their device by changing the passcode and (2) encrypt and/or delete the user’s data. This is a perfect setup for a ransomware attack!
One of the biggest dangers of App Overlay Attacks is that they are almost undetectable to the unsuspecting mobile user, and they use deceit and trickery in order to convince people that they are interacting with a trusted piece of content or app, and they will act accordingly (usually by revealing sensitive information inadvertently or by taking an action that is harmful to them). And before they know there is a problem, the fraudster may have already locked them out of their account in an account takeover (ATO), made fraudulent transactions, or initiated a ransomware attack.
Recommendations For Mobile App Developers
The best defense against mobile fraud is to prevent it from occurring in the first place. Appdome’s No Code Mobile Fraud Prevention offers developers, publishers, studios, and financial institutions an easy way to stop mobile fraud at the source. Using Appdome’s no-code technology, developers or fraud specialists can build pre-emptive and defensive protections into any mobile app in minutes, which enables the app to defend itself against mobile fraud.
If you want to learn more about how Appdome is used to prevent mobile fraud, and to prevent exploitation and misuse of legitimate app/OS functionality and development tools, request a demo today.
*note: the Android ‘Allow Unknown Sources’ feature may have a different name depending on the version or device manufacturer.