How to Block Overlay Attacks on Android Apps

Learn the 3 Easy Steps to Block Overlay Attacks on Android apps. No Code, No SDK

What is an Overlay Attack?

In an Overlay Attack (sometimes also called “Screen Overlay Attack” or “Clickjacking”) the attacker uses multiple transparent or opaque layers to trick a user into interacting with a button, link, window or another UI element that is hidden from their view. The real window is covered by a different window that the hacker (or malware controlled by the hacker) has placed on top. So when the user clicks on or interacts with the element in their view, in reality, they are interacting with the hidden (malicious) element (which performs an action that serves the hacker’s purpose). Hackers often use malware, fake apps, and social engineering techniques in combination with Overlay Attacks to make the attack more believable and more effective.

Here are the Top 3 Ways Hackers Use Screen Overlay Attacks in Mobile Fraud

Data Theft/ Data Harvesting
- In banking and finance apps, one common screen overlay technique is where the attacker creates a fake copy of the bank’s UI, and places it on top of the user’s screen. The most common interaction pattern for this attack would be tricking the user to enter information such as account numbers, credit card info, ATM pin codes, username, password, API Keys, app secrets, security questions, etc. When the user types the information requested, they are actually transmitting the data through the fake overlay window, which is controlled by the attacker.

Infiltration and Malware Delivery
- The attacker might also use a Screen overlay attack to create a backdoor for themselves that they can use later to deliver malware onto a mobile device. For example, Android Allow Unknown Sources is an Android OS setting that allows a user to install apps outside of Google Play, or programs that may not be trusted or known to be safe. As part of the overlay attack, the hacker tricks the user into enabling Allow Unknown Sources by superimposing a fake button on top of the button that enables Unknown Sources and tricking the user into clicking on it. They can then use that channel as a vehicle to get fake apps or malware updates onto the device.

Privilege Escalation
- Hackers also use overlay attacks to trick users into elevating administrative privileges or enabling functions that allow the hacker to control an app or device remotely. For example, a common overlay attack variant, the hacker tricks the mobile user into enabling Android AccessibilityServices. Accessibility services are OS-level settings in Android that are designed to help users with disabilities (eg: screen readers, speech to text, touch events). They run in the background and receive callbacks by the system when accessibility events are fired, making them capable of reacting to a state transition in the UI (eg: focus has changed, button was clicked, or content in the active window was queried). These services also typically run with a higher level of administrative privilege. For this reason, AccessibilityServices are often used for different purposes for which they were not intended and targeted by hackers to exploit. When abused, they are used to perform click actions (either to commit click fraud or to cheat in mobile games), read and write SMS messages and emails, intercept and read Two-Factor Authentication codes, steal cryptocurrency keys, control mobile devices or apps remotely and more.

How to Block Overlay Attacks on Android apps?

Appdome is a no-code mobile app security platform designed to add security features, like Overlay Attack Prevention to any Android apps without coding. This KB shows mobile developers, DevSec and security professionals how to use Appdome’s simple ‘click to build’ user interface to quickly and easily prevent overlay attacks.

Appdome Block App Overlay Attacks feature detects if a malicious overlay screen is placed on top of the protected application’s screen. Upon detecting an overlay attack, the default action is for the app to exit/close after displaying a message to the user. Optionally, developers can instrument different enforcement/response actions by using Appdome Threat Events.

Appdome blocks Overlay attacks such as Anubis, BankBot, StrandHogg, BlackRock, Cloak&Dagger, Ghimob, Ginp, and MazarBot.

3 Easy Steps to Block App Overlay Attacks on Android Apps

Please follow these 3 easy steps to protect Android apps against Overlay Attacks

Upload an Android App to Appdome’s no code security platform (.apk or .aab for Android)
In the Build Tab, under Anti-Fraud Toggle on Block App Overlay Attacks (shown below)
Click Build My App

block screen overlay attacks

Congratulations! The app is now protected against Overlay Attacks.

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android apps against Overlay Attacks. When a user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.

Prerequisites to Block App Overlay Attacks

Appdome account (If you don’t have an Appdome account, create a free Appdome account here)
A license for Block App Overlay Attacks
Mobile App (.apk or .aab for Android)
Signing Credentials (e.g., signing certificates and provisioning profile)

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to build secured Android and iOS apps using Block Overlay Attacks. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, stores, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Mobile Apps Secured with Overlay Attack Prevention

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:

Signing Secure iOS and Android apps
Customizing, Configuring & Branding Secure Mobile Apps
Deploying/Publishing Secure mobile apps to Public or Private app stores

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.

How to Learn More

Here are a few related resources:

How to Stop Click Bot attacks, Click Fraud on Android apps

How to Prevent abuse of Android AccessibilityService for compromising Android apps

How to Block Magisk Hide, Protect Android Apps From Root Hiding

How to Prevent non-approved Android, iOS app store publishing

Check out the Appdome Mobile Fraud Prevention solution page or request a demo at any time.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Alan Bavosa