This blog post will examine how cyber-thieves use screen overlay attacks and other types of mobile malware to commit mobile fraud. Recently, screen overlay attacks, which have been common in web apps for years, have grown to become a major threat to mobile apps.
What is a Screen Overlay Attack?
A Screen Overlay Attack is an attack method in which part of the application screen is covered by a fake (malicious) screen that the user is tricked into clicking on or interacting with. There are a huge number of variants of overlay attacks, but in all overlay attacks the user thinks they are interacting with a legitimate app or service, but they are actually interacting with the overlay screen controlled by the attacker.
The goals of an overlay attack may vary, but they generally fall into the following categories:
- Data Harvesting or Data theft – accomplished by covering part of the mobile app screen with a fake screen that looks exactly like the real screen, except that the fake screen is controlled by the attacker. The user is then tricked into revealing some sort of personal or valuable information (such as usernames, passwords, 2FA codes, social security numbers or answers to “security questions”). Any information that the user enters is sent directly to the attacker. This technique has been very common in mobile banking apps, fintech apps, eWallets, and cryptocurrency apps.
- Planting Backdoors – A backdoor refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high-level user access (aka root access) on a computer system, network or software application.
- Privilege escalation – Tricking users elevate privileges for malware or attackers – such as granting excessive permissions to malware or abusing accessibility services to automate malicious botnet actions. This attack technique has been blended with “sneakerbots” or other malicious bots aimed at retail and e-commerce apps.
I will now provide examples of how each of the above attack methods has been accomplished in the real world.
Common Screen Overlay Malware Techniques
Some overlay malware works by tricking the user to approve “app permissions” to the malware app, which the user thinks they are approving for the legitimate app. The permissions granted can be a wide range of things that can be used maliciously, such as access to the camera, location, microphone, contacts/phonebook, or features such as debug mode, accessibility services, or Android “Unknown Sources”, all of which can be used by an attacker for malicious reasons.
Mobile malware is often hidden inside fake versions of popular utility or productivity apps that run in the background (like a battery life extender, or system update app, a barcode scanner).
There are many different variants of screen overlay attacks. I’ll describe some of the more common variants and the types of fraud they are used for. I’ll also explain how cyber-criminals combine multiple attack techniques or methods in order to enhance the effectiveness and credibility of their attacks. The more believable an attack is, the higher the likelihood of success.
Top Screen Overlay Attack Methods
1. Data Harvesting/ Data Theft
In this variant, an overlay of a fake screen covers part of the real screen, (hiding it from the user’s view) and then asks the victim to enter information (usually sensitive info like banking credentials, pin codes, or answers to “security questions”). The victim thinks they are sending their confidential info to a trusted site, but in reality, they are sending it directly to the attacker.
This variant of screen overlay attacks often targets mobile banking, fintech, e-commerce, gaming, or retail apps.
2. Infiltration & Malware Delivery
In other variants of screen overlay attacks, the fraudster may not be after information per se, but they might instead want to create a ‘backdoor‘ that they can access and exploit in the future. Backdoors are used for things like communicating with a command and control (C&C) network, updating malware, or infiltrating protected resources or networks. Hackers like to target high-privilege services, like Android “Developer Options” or “Unknown Sources”, as their entry point. They trick users into turning on these services by covering part of the screen or making the user think they are clicking a different button. Then the attacker or malware exploits the actual service for malicious purposes, usually without the user knowing. For example, an Android OS setting that allows a user to install apps outside of the Google Play store or programs that may not be trusted or known to be safe As part of the overlay attack, the fraudster might trick the user into enabling Allow Unknown Sources on an Android device by superimposing a fake button on top of the real button and then tricking the user to click on it, or by masquerading an app that the user previously downloaded, which requests multiple permissions (one permission request to allow Unknown Sources, and another permission request to install future apps downloaded to the device).
By tricking the user to enable “Unknown Sources”, the attacker now has an easy way to deliver malware onto the mobile device in a way that bypasses Google Play security measures, doesn’t require additional permission requests from the user, and can be fully automated. Once this feature is enabled, it stays enabled until someone explicitly turns it off. And since the user did not actually know they just turned this feature on in the first place, they would have no reason to turn it off.
3. Privilege Escalation
Bad actors and fraudsters also use overlay attacks as a means to elevate administrative privileges or to gain remote control capabilities for themselves by tricking mobile users to enable powerful functions such as Accessibility Services or by tricking users to grant app permissions to a malicious app running in the background. There are many sub-variants of this attack technique, and they all abuse different methods. Sometimes the malicious fake app hijacks the real app (by abusing legitimate functions like Android “tasks“), and pushes itself into the foreground. It then impersonates the real app and requests permissions from the user. If the user approves the permissions (which they usually do), the permissions are used by the malware or malware creator for malicious purposes.
Real-World Example – Abusing Android Toast Notifications
Here’s a real-life example of a screen overlay attack discovered by Palo Alto Networks which exploited the Android “Toast Notifications” function. Toast notifications is an Android OS feature that is used to display short-lived messages and notifications as a ‘floating window’ at the top or bottom of the screen for a short period of time before disappearing. Here’s an example of a toast notification that displays while the user sends an email.
Toast notifications can be exploited in screen overlay attacks when attackers understand when and how they are triggered, where they appear on the screen, and for how long – all of which they can easily learn by inspecting the code (static analysis) and/or running the app and observing its behavior (dynamic analysis). Once they know this, the attacker can overlay their own fake button on top of the toast notification and trick the user into clicking on the malicious content.
In the example shown below, the user is tricked into thinking that they are installing a mandatory security patch. But in reality, they are actually activating malware and approving app permissions that give the attacker control over the device and their data.
The fake “security patch” screen (on the left) is placed on top of the real screen (on the right) which is actually a malware activation screen. The user thinks they are clicking ‘Continue’ to install a security patch. But they are actually clicking the ‘Activate’ button (hidden underneath the fake screen) which activates the malware AND grants permissions to the malware/attacker. The attacker can then use those permissions to (1) lock the user out of their device by changing the passcode and (2) encrypt and/or delete the user’s data. This is a perfect setup for a ransomware attack!
One of the biggest dangers of App Overlay Attacks is that they are almost undetectable to the unsuspecting mobile user, and they use deceit and trickery in order to convince people that they are interacting with a trusted piece of content or app, and they will act accordingly (usually by revealing sensitive information inadvertently or by taking an action that is harmful to them). And before they know there is a problem, the fraudster may have already locked them out of their account in an account takeover (ATO), made fraudulent transactions, or initiated a ransomware attack.
Recommendations For Mobile App Developers
On-device malware and mobile fraud have grown to become two of the biggest threats on the mind of mobile consumers. In Appdome’s most recent Global Mobile Consumer survey about mobile app security expectations, mobile fraud took the #1 spot as the biggest fear on the minds of consumers, and malware shot up 121% to take the #2 spot. The best defense against mobile fraud is to prevent it from occurring in the first place. Appdome’s No Code Mobile Fraud Prevention offers developers, publishers, studios, and financial institutions an easy way to stop mobile fraud at the source. Using Appdome’s no-code technology, developers or fraud specialists can build pre-emptive and defensive protections into any mobile app in minutes, which enables the app to defend itself against mobile fraud.
If you want to learn more about how Appdome is used to prevent mobile fraud, and to prevent exploitation and misuse of legitimate app/OS functionality and development tools, request a demo today.
*note: the Android ‘Allow Unknown Sources’ feature may have a different name depending on the version or device manufacturer.
