Android overlay attacks split in two major categories:
- Activity injections
- View injections (also known as Overlays)
Activity injections
Activity injections are acts of inserting unauthorized activities above the legitimate app to capture sensitive information or mislead the user.
An example of an activity injection would be a banking trojan app displaying, on top of a target application, a layer that mimics its login screen. This type of malware usually synchronizes with a server to download layout replicas of legitimate apps that are installed on the same device. These replicas are usually known as “injections'' or “injects”. This malware then constantly tracks which application is being executed, and whenever it detects one of its targets, an overlay (e.g., a login screen) is drawn at the right moment. An example is shown below. When the user enters their credit card information, it is actually being entered on the layer controlled by the malware and is subsequently stolen by the malicious actor.
Example of an activity injection to steal payment information
A malicious activity is started through an intent. This activity usually contains a web view which will be loaded with the data received from the command-and-control server. Here's how an activity injection can be done:
Intent intent = new Intent(this, MaliciousActivityInjectionActivity.class);
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
intent.addFlags(Intent.FLAG_ACTIVITY_EXCLUDE_FROM_RECENTS);
intent.addFlags(Intent.FLAG_ACTIVITY_NO_HISTORY);
startActivity(intent);
View injections
View injections are acts of inserting additional views or UI elements into an app to capture sensitive information or mislead the user. These additional views or UI elements are also known as overlays
.
For overlays, a view is generated as a result of inflating a layout and adding to the window manager together with specific parameters to determine the nature of the window that will be placed on top of the target app.
Here's how a view injection can be done:
WindowManager.LayoutParams params = new WindowManager.LayoutParams(
WindowManager.LayoutParams.MATCH_PARENT,
WindowManager.LayoutParams.MATCH_PARENT,
WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY,
WindowManager.LayoutParams.FLAG_FULLSCREEN,
PixelFormat.TRANSLUCENT);
LayoutInflater li = (LayoutInflater) getSystemService(LAYOUT_INFLATER_SERVICE);
View view = li.inflate(R.layout.target_overlay, null);
windowManager.addView(view, params);
Defense techniques overview
---
title: Spying on users' data with overlays
---
graph TD
all[All malware attacks] --> steal_screen
click all href "/mobile-app-security-research-center/malware/overview" "Malware overview"
steal_screen[Spy on users' screen]
steal_screen --> activity_injection[Activity injections]
steal_screen --> view_injection[View injections aka Overlays]
activity_injection --> lati(["`Last activity time
*API ≥ 29 (Android 10+)*`"])
activity_injection --> rai(["Recent activity
*PACKAGE_USAGE_STATS*"])
activity_injection --> ult(["User leave tracking ⭐"])
activity_injection --> punching
view_injection --> secure_keyboard([Secure in-app keyboard])
view_injection --> punching(["`Window punching ⭐
*API ≤ 32 (Android 12)*`"])
view_injection --> non_system(["`Hide overlays ⭐
*API ≥ 31 (Android 12+)*`"])
view_injection --> fwio(["`FWIO ⭐`"])
view_injection --> fwipo(["`FWIPO ⭐
*API ≥ 29 (Android 10+)*`"])
style punching fill:lightgreen
style non_system fill:lightgreen
style fwipo fill:lightgreen
style fwio fill:lightgreen
style secure_keyboard fill:lightgreen
style lati fill:lightgreen
style rai fill:lightgreen
style ult fill:lightgreen
click punching href "/mobile-app-security-research-center/malware/overlay-window-punching" "Window punching"
click activity_inspect href "/mobile-app-security-research-center/malware/overlay-recent-apps-inspection" "Recent apps inspection"
click non_system href "/mobile-app-security-research-center/malware/hide-non-system-overlays" "Overlay hide non-system overlays"
click fwipo href "/mobile-app-security-research-center/malware/obscure-touch-detection" "Obscure touch"
click fwio href "/mobile-app-security-research-center/malware/obscure-touch-detection" "Obscure touch"
click secure_keyboard href "/mobile-app-security-research-center/malware/secure-in-app-keyboard" "Secure in-app keyboard"
click ult href "/mobile-app-security-research-center/malware/user-leave-tracking" "User leave tracking"
click lati href "/mobile-app-security-research-center/malware/last-activity-time-inspection" "Secure in-app keyboard"
Recommended defense tactics
The defense algorithm varies depending on whether your application has the PACKAGE_USAGE_STATS
privilege.
For example:
-
- Check whether the app has PACKAGE_USAGE_STATS.
- If it does, use:
- Recent app inspection
- Window punching
- If it does not, use:
- Hide non-system overlays
- Window punching
Note that in this example, the coverage is partial with a gap of activity injection on Android 12+