Mobile Overlay Attacks a Hot Underground Commodity

Mobile overlay attacks are a highly trafficked commodity on the underground today as attackers, stunted by improvements in browser protections on the desktop, are swaying toward stealing credentials, banking information, and other personal information primarily from Android devices.

Some Russian-speaking marketplaces sell hundreds of overlays—which are sometimes conflated with injection attacks—that are configured to run on top of legitimate applications and steal user inputs for anything including banking apps, social media, email, e-commerce, and payment applications and websites.

Overlays differ from webinjects in that a malicious application is drawn over other applications. This is in contrast to an injection attack where a threat actor supplies additional information, such as a piece of code, query, or an object, to secretly change the outcome of the legitimate process.

In either case, the user believes they are interacting with a legitimate application, while in fact they could be, for example, granting excessive device permissions to third-party applications, or entering credentials and personal data that is stolen by the attacker.

Android devices are particularly at risk for overlay attacks because of a permission called SYSTEM_ALERT_WINDOW, a system privilege that permits apps to draw over others. In later versions of Android, overlays are known as Toasts, which are objects that can be used to display brief alerts from legitimate applications over the home screen or running applications.

Attackers have found Toasts useful, most notably in 2017’s so-called Cloak and Dagger attacks uncovered by Palo Alto Networks; the attacks were also based upon academic research conducted by researchers at Georgia Tech University and UC Santa Barbara. The Cloak and Dagger attacks were used to trick users into enabling the Android Accessibility Service, granting the malicious app carrying out the attack administrator privileges. With such powerful privileges on the device, an attacker can launch a number of different attacks including mobile ransomware or the installation of other malicious apps.

Overlay attacks are also exacerbated by a relatively new methodology known as tapjacking, which uses the Android Toast functionality. Unlike traditional Android malware, tapjacking malware does not need to request any elevated system privileges, making it particularly dangerous. Tapjacking masks the requests behind the user’s ordinary interaction with the device by presenting itself as a legitimate app and tricking users into granting it various system privileges and providing user information. As such, a user could be granting privileges by simply clicking on apps they believe to be legitimate.

Bolstered by this and other similar attacks, threat actors on the underground appear motivated to develop more overlay attacks and feed this market. One highly trafficked Russian-language forum includes posts from a pair of actors offering close to 200 overlays for legitimate banking, payment and other similar types of applications. A recent post included a fresh set of overlays that can be run using a Toast overlay to trick victims into providing attackers with sensitive login and financial credentials.

While later versions of Android include patches that mitigate the risk posed by malicious use of Toasts for overlay attacks, the overall Android ecosystem isn’t conducive to timely updating of devices. According to the Android Developers Dashboard, only 7.5 percent of Android devices are running version 8.1 of the operating system, which is the latest version of Android “Oreo.” The majority of users (45.6 percent) are running devices between versions 5.1 (Android “Lollipop”) through 7.0 (Android “Nougat”)—a full three versions in arrears in some cases. This contributes to a wildly erratic and insecure Android ecosystem in many cases, beyond its susceptibility to overlay attacks.

Assessment

Threat actors’ migration toward targeting mobile devices is being accelerated by the effectiveness of overlay attacks. This is being reflected in an increasing number of posts on the subject in underground forums offering new overlays on a regular cadence. It’s also being enabled by a continually out-of-date Android ecosystem running older versions of the operating systems that lack mitigations that impede overlay attacks. Overlay attacks are particularly effective because they don’t require a vulnerability in a banking application, for example; instead, the attacker exploits the victim’s device. Whereas applications containing sensitive financial information such as banking or e-commerce applications are generally highly secure and updated to defend against the latest security vulnerabilities, if a victim downloads a malicious application capable of conducting an overlay injection attack, the attacker will have negated the security protections in place on the targeted application. To help mitigate against threat actors using Android injection attacks, Flashpoint recommends updating all Android devices to the latest Android release (Pie as of this writing), as all Android devices running versions earlier than Oreo (version number 8.0) are susceptible to this attack methodology. Furthermore, Flashpoint suggests changing the Android setting “filterTouchesWhenObscured” to “true,” as this setting will then disregard any user input or activity when the system detects that an overlay is running.