Overlay Attacks Are Back
Overlay attacks are ramping up again. And there's not really much that you, as an app developer, can do about it.
Join the DZone community and get the full member experience.Join For Free
Overlay attacks are all the rage today. They've been around for a few years, but they're becoming popular again as desktop systems are becoming more difficult to penetrate. And like most malware today, your users are the ones installing it.
These kinds of attacks have been hitting the Android ecosystem since early 2017. They had a lull in activity, but they're starting to ramp up again. And there's not really much that you, as an app developer, can do about it.
So how do they work?
Basically, an attacker places a transparent overlay above an app, captures the data typed into the overlay, and then submits that data to the form over which the overlay is installed. Usually, the overlay uses a Toast window, designed to float above other windows on the phone. In older versions of Android, the window is missing two specific authority checks — a permissions check and an operations check. In Nougat or earlier, if an application attempts to display a Toast dialog, it will automatically display without any checks, wherever the application would like to display the dialog, with whatever attributes the application would like to use.
As you can imagine, this is a bit problematic. If you have installed a malicious application on your phone, that application can use this approach to steal credentials, install additional malware. It can really just about anything. And to make matters worse, attackers can buy pre-configured overlays on the dark web to throw up in front of legitimate applications.
These attacks have changed a bit since Nougat, but they are still possible. Essentially, the key to these attacks post-Nougat is to clickjack via an overlay. For example, if you're a malicious developer, and you've been able to get your app installed on a phone, you can bring up an overlay over a device administrator dialog that looks innocuous. You can then create a control on the overlay that asks for a user click, and then, pass that press down to the administrative dialog. You can use this approach to give your app whatever permissions you'd like.
The best defense? An updated device. The best way to defend your customers? Hope.
Opinions expressed by DZone contributors are their own.