Overlay attacks – what are they?
An overlay attack, also known as a screen overlay attack or overlaying, is a sophisticated cyber attack technique that involves placing a fake layer on top of the user interface of desktop and mobile applications, websites, and other platforms. This overlay can mimic the legitimate interface or be designed to appear transparent, tricking users into entering sensitive information such as bank card details or login credentials.
Overlaying can also be used to intercept user interactions, such as clicks and keystrokes, as well as attempts to gain additional privileges from the malicious application. As a result, overlay attacks are a specific type of clickjacking, a malicious tactic that manipulates user clicks to redirect them to unintended actions or websites.
Overlaying is frequently used in attacks on mobile devices. Since mobile apps for Android have default SYSTEM_ALERT_WINDOW permission, this mobile OS is considered especially vulnerable to overlay attacks. Thus, cybersecurity experts often refer to Android overlay attacks when discussing overlaying.
Android overlay attacks – why are they dangerous?
Android overlay attacks are often conducted through malware that looks harmless or useful mobile apps. This malware can be downloaded from official resources, like Google Play Store. One of the examples of such cases is Godfather, a mobile banking trojan posing as Google Protect.
The real danger of Android overlay attacks is that users can unwittingly fall victim to cybercrime without realizing it. Because the malware is designed to mimic legitimate software, it can remain undetected on a device for extended periods, quietly stealing sensitive data without arousing suspicion.
Techniques used in overlay attacks
Data harvesting
Data harvesting or theft in overlay attacks refers to stealing sensitive information from a user’s device by overlaying a fake UI element on top of a legitimate app or system notification. The element is often an input screen with a button, which creates the impression that the data would be transferred to a legitimate resource.
When the user enters sensitive information, such as login credentials, credit card numbers, or personal identification information, into the fake UI element, the attacker captures the data and uses it for malicious purposes such as identity theft or financial fraud.
Malware delivery or backdoor
In this case, the overlay element is used to trick a user into downloading malware or implement a backdoor for malware delivery and update. In most cases, the element is a button that looks like the legitimate one but triggers the other action than intended. For example, such a button may have the text “Update” but enables downloading software from unknown sources after clicking.
Malware delivery in overlay attacks can be particularly effective because it often involves social engineering tactics, making them more likely to download and install the malware. Also, such multi-step attacks allow adversaries to install malicious software on the targeted phone persistently.
Privilege escalation
Overlaying techniques are often used in the later stages of a cyber attack when a threat actor has already infiltrated the infrastructure and needs to escalate privileges to take specific actions. In one of the examples of such attacks, the overlay mimicked Android notifications and contained a button triggering malware installer. Once the malware was downloaded, it tricked a user into granting permission that, in turn, would carry out an account takeover.
How to protect against overlay attacks?
To protect yourself from overlay attacks, follow a few basic rules:
Download apps only from verified sources
Banking or other apps that require you to enter sensitive data should only be downloaded from the Google Play store or App Store, depending on your device’s operating system. In addition, avoid downloading apps from unknown sources that may contain malware.
Check app permissions with caution
Before downloading an app, carefully reviewing its required permissions is a good idea. If an app asks for unreasonable permissions, such as for the camera or microphone, it is better not to install it.
Use antivirus software
Installing antivirus software on your smartphone or tablet is a good idea to monitor app performance and detect potential threats.
Keep your system and apps up to date
Regular updates to the operating system and apps help close security gaps and protect against new threats.
Watch out for fake windows
If an unexpected window or screen pops up while using a banking or other application, it’s a good idea to check if it’s genuine. This can be done, for example, by comparing the appearance with previous versions of the application or by contacting customer support.
Following the above rules helps minimize the risk of an overlay attack and protects against losing sensitive data.
Does Group-IB provide solutions to protect against overlay attacks?
To protect your organization against overlay attacks, it’s crucial to have a complete view of the threats targeting your business. Group-IB Threat Intelligence solution provides the threat landscape tailored to a specific company and helps understand whether your organization is of interest to adversaries using overlay techniques.
Apart from that, our Threat Intelligence helps spot vulnerabilities in your company’s infrastructure, detect data leaks, detonate malware, and attribute attacks. The solution provides data to protect your organization on the strategic, operational, and tactical levels. Learn more about Group-IB Threat Intelligence on our website.
Group-IB Fraud Protection provides strong protection against overlay attacks. With advanced detection mechanisms, our system can pinpoint these malicious overlays. Our AI technology constantly monitors for unauthorized screen manipulations and suspicious application behavior. By using a combination of behavioral analytics, device fingerprinting, and malware detection, Group-IB Fraud Protection can detect overlay attacks in real time. This prevents fraudsters from intercepting sensitive user data or manipulating transactions.