UI injection attacks

    Android overlay attacks split in two major categories:

    • Activity injections
    • View injections (also known as Overlays)

    Activity injections

    Activity injections are acts of inserting unauthorized activities above the legitimate app to capture sensitive information or mislead the user.

    An example of an activity injection would be a banking trojan app displaying, on top of a target application, a layer that mimics its login screen. This type of malware usually synchronizes with a server to download layout replicas of legitimate apps that are installed on the same device. These replicas are usually known as “injections'' or “injects”. This malware then constantly tracks which application is being executed, and whenever it detects one of its targets, an overlay (e.g., a login screen) is drawn at the right moment. An example is shown below. When the user enters their credit card information, it is actually being entered on the layer controlled by the malware and is subsequently stolen by the malicious actor.

    Example of an activity injection_URL-attacksoverlay-attacks_SRC

    Example of an activity injection to steal payment information 

    A malicious activity is started through an intent. This activity usually contains a web view which will be loaded with the data received from the command-and-control server. Here's how an activity injection can be done:

    Intent intent = new Intent(this, MaliciousActivityInjectionActivity.class); intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); intent.addFlags(Intent.FLAG_ACTIVITY_EXCLUDE_FROM_RECENTS); intent.addFlags(Intent.FLAG_ACTIVITY_NO_HISTORY); startActivity(intent);

    View injections

    View injections are acts of inserting additional views or UI elements into an app to capture sensitive information or mislead the user. These additional views or UI elements are also known as overlays.

    For overlays, a view is generated as a result of inflating a layout and adding to the window manager together with specific parameters to determine the nature of the window that will be placed on top of the target app.

    Here's how a view injection can be done:

    WindowManager.LayoutParams params = new WindowManager.LayoutParams( WindowManager.LayoutParams.MATCH_PARENT, WindowManager.LayoutParams.MATCH_PARENT, WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY, WindowManager.LayoutParams.FLAG_FULLSCREEN, PixelFormat.TRANSLUCENT); LayoutInflater li = (LayoutInflater) getSystemService(LAYOUT_INFLATER_SERVICE); View view = li.inflate(R.layout.target_overlay, null); windowManager.addView(view, params);

    Defense techniques overview

    --- title: Spying on users' data with overlays --- graph TD all[All malware attacks] --> steal_screen click all href "/mobile-app-security-research-center/malware/overview" "Malware overview" steal_screen[Spy on users' screen] steal_screen --> activity_injection[Activity injections] steal_screen --> view_injection[View injections aka Overlays] activity_injection --> lati(["`Last activity time *API ≥ 29 (Android 10+)*`"]) activity_injection --> rai(["Recent activity *PACKAGE_USAGE_STATS*"]) activity_injection --> ult(["User leave tracking ⭐"]) activity_injection --> punching view_injection --> secure_keyboard([Secure in-app keyboard]) view_injection --> punching(["`Window punching ⭐ *API ≤ 32 (Android 12)*`"]) view_injection --> non_system(["`Hide overlays ⭐ *API ≥ 31 (Android 12+)*`"]) view_injection --> fwio(["`FWIO ⭐`"]) view_injection --> fwipo(["`FWIPO ⭐ *API ≥ 29 (Android 10+)*`"]) style punching fill:lightgreen style non_system fill:lightgreen style fwipo fill:lightgreen style fwio fill:lightgreen style secure_keyboard fill:lightgreen style lati fill:lightgreen style rai fill:lightgreen style ult fill:lightgreen click punching href "/mobile-app-security-research-center/malware/overlay-window-punching" "Window punching" click activity_inspect href "/mobile-app-security-research-center/malware/overlay-recent-apps-inspection" "Recent apps inspection" click non_system href "/mobile-app-security-research-center/malware/hide-non-system-overlays" "Overlay hide non-system overlays" click fwipo href "/mobile-app-security-research-center/malware/obscure-touch-detection" "Obscure touch" click fwio href "/mobile-app-security-research-center/malware/obscure-touch-detection" "Obscure touch" click secure_keyboard href "/mobile-app-security-research-center/malware/secure-in-app-keyboard" "Secure in-app keyboard" click ult href "/mobile-app-security-research-center/malware/user-leave-tracking" "User leave tracking" click lati href "/mobile-app-security-research-center/malware/last-activity-time-inspection" "Secure in-app keyboard"

    Recommended defense tactics

    The defense algorithm varies depending on whether your application has the PACKAGE_USAGE_STATS privilege.

    For example:

      1. Check whether the app has PACKAGE_USAGE_STATS.
        1. If it does, use:
          1. Recent app inspection
          2. Window punching
        2. If it does not, use:
          1. Hide non-system overlays
          2. Window punching
    Note that in this example, the coverage is partial with a gap of activity injection on Android 12+

    Guardsquare

    Table of contents