Level 53
Nov 5, 2011

Android Overlay Protector: Android Overlay Protector | GeeksOnSecurity

How can we prevent overlay attacks efficiently?

Android market share has now reached almost 75% (source) of the estimated total number of smartphones. Because of this, criminals are now focusing more and more on this platform, profiting also from the weak permission management implemented in Android.

The issue we are trying to address with this product is called "Application Overlay" and permits an attacker to draw on top of any window and application running on the infected device. Firstly malicious applications monitor which applications are started by the user on the infected system. Next, once they detected a sensible application (eBanking, VPN, ...), the malware will redraw an exact login screen on top of the legitimate one. The user is incapable of distinguish the fake from the original and enters the credentials on the wrong dialog. The malware generally upload the stolen credentials to its Command & Control server. To learn more on how this vulnerability works check the articles in the press section.

Overlay attacks are known since 2011 and affect all Android versions up to Android 5.1.0 where the GET_TASKS permission has been made ineffective. According to the Android distribution of August 2015 shown in the chart below, around 97.4% of devices is affected!
Nevertheless, cyber attackers found different ways to monitor running process using for example UsageStatsManager, AccessibilityService or by parsing /proc/*/oom_score. Someone else may just prompt fake view to the user at random time, without monitor the foreground application at all.

To avoid such attacks, our application constantly monitor every user-interface (UI) change happening on the device. Our detection engine will then check if the view element drawn on the screen is coming from the same package of the legitimate application started by the user. If is not, our application will warn you about it and let you decide if you want to whitelist the potentially malicious application or uninstall it. But careful, not every application which uses this feature want to steal your data. For example, Facebook Messenger application uses this to draw the "chat heads" on top of the screen. more on the website...


Screen Overlay Detected, what can I do?
: on Screen Overlay Detected, what can I do? - Android Forums at