How to Block Overlay Attacks on Android Apps

Last updated September 29, 2021 by Alan Bavosa

Learn the 3 Easy Steps to Block Overlay Attacks on Android apps, without any coding or SDKs.

What is an Overlay Attack?

In an Overlay Attack (sometimes also called “Screen Overlay Attack” or “Clickjacking”) the attacker uses multiple transparent or opaque layers to trick a user into interacting with a button, link, window or another UI element that is hidden from the user’s view. The real window is covered by a different window that the hacker (or malware controlled by the hacker) has placed on top. So when the user clicks on or interacts with the element in their view, in reality, they are interacting with the hidden (malicious) element (which performs an action that serves the hacker’s purpose). Hackers often use malware, fake apps, and social engineering techniques in combination with Overlay Attacks to make the attack more believable and more effective.

Here are the Top 3 Ways Hackers Use Screen Overlay Attacks in Mobile Fraud

Data Theft/ Data Harvesting
- In banking and finance apps, one common screen overlay technique is where the attacker creates a fake copy of the bank’s UI (such as a login screen), and places it on top of the user’s screen. The most common interaction pattern for this attack would be tricking the user to enter information such as account numbers, credit card info, ATM pin codes, username, password, API Keys, app secrets, security questions, etc. When the user types the information requested, they are actually transmitting the data through the fake overlay window, which is controlled by the attacker.

Infiltration and Malware Delivery
- The attacker might also use a Screen Overlay attack to create a backdoor for themselves that they can use to deliver malware onto a mobile device. For example, Android Allow Unknown Sources is an Android OS setting that allows a user to install apps outside of Google Play, or programs that may not be trusted or known to be safe. As part of the overlay attack, the hacker tricks the user into enabling Allow Unknown Sources by superimposing a fake button on top of the button that enables Unknown Sources and tricking the user into clicking on it. They can then use that channel as a vehicle to get fake apps or malware updates onto the device.

Privilege Escalation
- Hackers also use overlay attacks to trick users into elevating administrative privileges or enabling functions that allow the hacker to control an app or device remotely. For example, in a common overlay attack variant, the hacker tricks the mobile user into enabling Android AccessibilityServices. AccessibilityServices are OS-level settings in Android that are designed to help users with disabilities (eg: screen readers, speech to text, touch events). They run in the background and receive callbacks by the system when accessibility events are fired, making them capable of reacting to a state transition in the UI (eg: focus has changed, button was clicked, or content in the active window was queried). These services also typically run with a higher level of administrative privilege. For this reason, AccessibilityServices are often used for different purposes for which they were not intended and targeted by hackers to exploit. When abused, they are used to perform click actions (either to commit click fraud or to cheat in mobile games), read and write SMS messages and emails, intercept and read Two-Factor Authentication codes, steal cryptocurrency keys, control mobile devices or apps remotely and more.

How to Block Overlay Attacks on Android apps?

Appdome is a no-code mobile app security platform designed to add security features, like Overlay Attack Prevention to any Android apps without coding. This KB shows mobile developers, DevSec and security professionals how to use Appdome’s simple ‘click to build’ user interface to quickly and easily prevent overlay attacks.

Appdome’s Block App Overlay Attacks feature detects if a malicious overlay screen is placed on top of the protected application’s screen.

Appdome blocks Overlay attacks such as Anubis, BankBot, StrandHogg, BlackRock, Cloak&Dagger, Ghimob, Ginp, and MazarBot.

————————————————————————————————————————————-

Threat Events for Block App Overlay Attacks

When Appdome detects an Overlay Attack, the application will exit/close in order to protect itself (as the default action). Alternatively, developers can use Appdome Threat Events to achieve different enforcement actions when Appdome detects a threat.

Using Threat Events, when a threat is detected by Appdome, instead of the app exiting/closing, Appdome will pass the event back to the mobile application to handle enforcement, according to the enforcement action that you select at the time you build/secure the app on Appdome.

Appdome Threat-Events use industry-standard notification methods to pass security events between Appdome’s detection layer back to the mobile application, informing the app anytime a malicious event is detected and passing along information related to the threat using a key-value pair format.

————————————————————————————————————————————-

To start receiving Threat-Events for Block App Overlay Attacks, you need to register your app to listen for Appdome events using the following Threat Event names (key)

Threat Event Name for Block App Overlay Attacks: OverlayDetected

Visit this Knowledge Base article for details on how to implement Threat Events in your mobile application, and to download the specific code that is relevant for your application’s development framework.

3 Easy Steps to Block App Overlay Attacks on Android Apps

Please follow these 3 easy steps to protect Android apps against Overlay Attacks

Upload an Android app to Appdome’s no code security platform (.apk or .aab for Android)
In the Build Tab, under Anti-Fraud Toggle on Block App Overlay Attacks (shown below)
- (Optional) You can customize the App Compromise Notification message that will be displayed to the mobile user when Appdome detects a threat.
- (Optional) Turn-ON the Threat-Events toggle for Block App Overlay Attacks and select the desired enforcement action (‘In-App Detection’ or ‘In-App Defense’).
- (Optional) Using the Trust Specified Activities Only feature you can exclude certain activities from overlay detection by listing the particular class name of the activity you wish to exclude in the input box.
Click Build My App

Overlay Attack Prevention

Congratulations! The app is now protected against Overlay Attacks.

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android apps against Overlay Attacks. When a user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.

Prerequisites to Block App Overlay Attacks

Appdome account (If you don’t have an Appdome account, create a free Appdome account here)
A license for Block App Overlay Attacks
Mobile App (.apk or .aab for Android)
Signing Credentials (e.g., signing certificates and provisioning profile)

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to build secured Android and iOS apps using Block App Overlay Attacks. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, stores, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Mobile Apps Secured with Overlay Attack Prevention

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:

Signing Secure iOS and Android apps
Customizing, Configuring & Branding Secure Mobile Apps
Deploying/Publishing Secure mobile apps to Public or Private app stores

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.

How to Learn More

Here are a few related resources:

How to Stop Click Bot attacks, Click Fraud on Android apps

How to Prevent abuse of Android AccessibilityService for compromising Android apps

How to Block Magisk Hide, Protect Android Apps From Root Hiding

How to Prevent non-approved Android, iOS app store publishing

Check out the Appdome Mobile Fraud Prevention solution page or request a demo at any time.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.