Request pricing
En
    Request pricing

    Login

      UI injection attacks

      Android overlay attacks split in two major categories:

      • Activity injections
      • View injections (also known as Overlays)

      Activity injections

      Activity injections are acts of inserting unauthorized activities above the legitimate app to capture sensitive information or mislead the user.

      An example of an activity injection would be a banking trojan app displaying, on top of a target application, a layer that mimics its login screen. This type of malware usually synchronizes with a server to download layout replicas of legitimate apps that are installed on the same device. These replicas are usually known as “injections'' or “injects”. This malware then constantly tracks which application is being executed, and whenever it detects one of its targets, an overlay (e.g., a login screen) is drawn at the right moment. An example is shown below. When the user enters their credit card information, it is actually being entered on the layer controlled by the malware and is subsequently stolen by the malicious actor.

      Example of an activity injection_URL-attacksoverlay-attacks_SRC

      Example of an activity injection to steal payment information 

      A malicious activity is started through an intent. This activity usually contains a web view which will be loaded with the data received from the command-and-control server. Here's how an activity injection can be done:

      Intent intent = new Intent(this, MaliciousActivityInjectionActivity.class); intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); intent.addFlags(Intent.FLAG_ACTIVITY_EXCLUDE_FROM_RECENTS); intent.addFlags(Intent.FLAG_ACTIVITY_NO_HISTORY); startActivity(intent);

      View injections

      View injections are acts of inserting additional views or UI elements into an app to capture sensitive information or mislead the user. These additional views or UI elements are also known as overlays.

      For overlays, a view is generated as a result of inflating a layout and adding to the window manager together with specific parameters to determine the nature of the window that will be placed on top of the target app.

      Here's how a view injection can be done:

      WindowManager.LayoutParams params = new WindowManager.LayoutParams( WindowManager.LayoutParams.MATCH_PARENT, WindowManager.LayoutParams.MATCH_PARENT, WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY, WindowManager.LayoutParams.FLAG_FULLSCREEN, PixelFormat.TRANSLUCENT); LayoutInflater li = (LayoutInflater) getSystemService(LAYOUT_INFLATER_SERVICE); View view = li.inflate(R.layout.target_overlay, null); windowManager.addView(view, params);

      Defense techniques overview

      --- title: Spying on users' data with overlays --- graph TD all[All malware attacks] --> steal_screen click all href "/mobile-app-security-research-center/malware/overview" "Malware overview" steal_screen[Spy on users' screen] steal_screen --> activity_injection[Activity injections] steal_screen --> view_injection[View injections aka Overlays] activity_injection --> activity_java[Java layout] activity_injection --> activity_webview[WebView] activity_java --> activity_inspect([Inspect recent apps ⭐]) activity_webview --> activity_inspect view_injection --> secure_keyboard([Secure in-app keyboard]) view_injection --> view_api31{API Level < 31?} view_api31 -- No (Android 12+) --> non_system([Hide non-system overlays ⭐]) view_api31 -- Yes --> view_api29{API Level < 29?} view_api29 -- No (Android 10+) --> view_solutions_29_plus([Solutions]) view_api29 -- Yes --> view_solutions_29([Solutions]) view_solutions_29 --> punching([Window punching ⭐]) view_solutions_29 --> fwio([`FLAG_WINDOW_IS_OBSCURED`]) view_solutions_29_plus --> punching view_solutions_29_plus --> fwipo([`FLAG_WINDOW_IS_PARTIALLY_OBSCURED`]) style activity_inspect fill:lightgreen style punching fill:lightgreen style non_system fill:lightgreen style fwipo fill:lightgreen style fwio fill:lightgreen style secure_keyboard fill:lightgreen click punching href "/mobile-app-security-research-center/malware/overlay-window-punching" "Window punching" click activity_inspect href "/mobile-app-security-research-center/malware/overlay-recent-apps-inspection" "Recent apps inspection" click non_system href "/mobile-app-security-research-center/malware/hide-non-system-overlays" "Overlay hide non-system overlays" click fwipo href "/mobile-app-security-research-center/malware/obscure-touch-detection" "Obscure touch" click fwio href "/mobile-app-security-research-center/malware/obscure-touch-detection" "Obscure touch" click secure_keyboard href "/mobile-app-security-research-center/malware/secure-in-app-keyboard" "Secure in-app keyboard"

      Recommended defense tactics

      The defense algorithm varies depending on whether your application has the PACKAGE_USAGE_STATS privilege.

      For example:

        1. Check whether the app has PACKAGE_USAGE_STATS.
          1. If it does, use:
            1. Recent app inspection
            2. Window punching
          2. If it does not, use:
            1. Hide non-system overlays
            2. Window punching
      Note that in this example, the coverage is partial with a gap of activity injection on Android 12+

      Guardsquare

      Table of contents