Top 3 ways screen overlay defrauds mobile users

The increased popularity of digital transactions is a two-edged sword in some ways. While the convenience it offers is beyond question, fraud on mobile channels has also grown to worrying levels. In Singapore, for instance, police have revealed that e-commerce and investment scams accounted for nearly SG$500 billion in losses between 2021 and 2022. One reason for this has been a dramatic rise of screen overlay attacks as a top attack vector for mobile fraud. While common in web apps for years, screen overlay attacks have more recently grown to become a major threat to mobile apps.

What are screen overlay attacks? 

A screen overlay attack is an attack method in which part of the application screen is covered by a fake (malicious) screen that the user is tricked into clicking on or interacting with. There are a vast number of variants of overlay attacks. However, in all overlay attacks, the user thinks they are interacting with a legitimate app or service, but they are, in actuality, interacting with the overlay screen controlled by the attacker.

How screen overlays are used to attack mobile apps 

Screen overlay attacks depend on deceiving users into clicking or interacting with a counterfeit, malicious screen. Unaware of the hidden danger, users assume the presented screen is authentic and continue their activities. The objectives of an overlay attack may differ, but they generally strive to enhance the attack’s credibility and effectiveness through various techniques.

  1. Data harvesting/data theft
    Data harvesting is a type of attack that frequently utilises screen overlays to enhance its effectiveness. There are multiple methods to steal or harvest data from mobile apps, and the addition of a screen overlay undoubtedly amplifies the success of such attempts. In this particular variant of the attack, the assailant obscures a section of the input screen in a mobile application with a deceptive button or screen that closely resembles the legitimate target app. The intention is to deceive the user into providing sensitive information, such as banking credentials, pin codes, or answers to security questions. The attack capitalises on creating a false impression that user data is being transmitted to a trusted site, when in reality, it is being sent directly to the attackers.
  2. Malware delivery and backdoors
    Screen overlay attacks can also be used in attacks where the goal of the attacker is to infiltrate a sensitive system or to implement a ‘backdoor’ by which they can later deliver or update malware. In this attack method, stealing information may not be the immediate goal for the fraudster. On the other hand, they may instead try to create an open, unchecked channel for a ‘command and control’ (C&C) to communicate with existing malware on the user’s device via a system or to deliver updated malware payloads via a trojan dropper. Regardless of the objective, these types of attacks typically aim to abuse legitimate mobile OS or developer-level features by tricking users into enabling these powerful features for reasons other than intended. For example, they essentially deceive users into switching on these services by concealing part of the screen or making the user think they are clicking a different button. The attacker or malware then exploits the actual service for malicious purposes, usually without the user’s knowledge. We have seen this with the Android OS setting which can be used to install apps outside the Google Play store or programs that are neither trustworthy nor safe.

    The attack enables the fraudster to overlay a counterfeit button onto a genuine one, deceiving users into enabling “Allow Unknown Sources” on an Android device. Attackers are also known to exploit unsuspecting victims by disguising an app that the user had previously downloaded. This multi-tiered approach may commence by tricking users into enabling Android Unknown Sources, followed by a mobile app permission request that facilitates the download or installation of other apps on behalf of the mobile user. Such a combination would grant the attacker the ability to persistently install malware on the user’s phone. These malware capabilities would remain enabled and active until explicitly disabled.
  3. Privilege escalation
    Overlay attacks have also been known to be used to escalate administrative privileges, as well as a means for malicious actors to gain remote control capabilities for themselves. Through deception, mobile users are tricked into enabling powerful functions such as Accessibility Services or granting dangerous mobile app permissions to a malicious app running in the background.

    A notable real-world example is how threat actors exploited the “Android Toast Notifications” function, which was uncovered by Palo Alto Networks. The attackers gained an understanding of the trigger conditions, screen location, and duration of toast notifications. They used that knowledge to superimpose a fake, malicious button on top of the real toast notification, as the real notification was concealed from view. When the user clicked on the fake toast notification, it triggered a malware installer, which then deceived the user into granting it a range of dangerous permissions. These permissions can be used by the malware to carry out an account takeover.

Protection rests on prevention

A key reason behind the risk posed by application overlay attacks is the fact that they are incredibly difficult to detect if users are not familiar with the tactics employed by threat actors. The speed at which attackers move also means unsuspecting users within enterprise environments may have unknowingly disclosed sensitive information and encountered device lockouts before realising the ongoing attack.

It is unsurprising, therefore, that the proliferation of on-device malware and mobile fraud has seen exponential growth in recent times, emerging as two of the most significant concerns for mobile users. In a recent survey conducted by Appdome, 83.9% of Singapore respondents indicated that protection against fraud and malware was equally or more important than new mobile app features. Businesses should pay heed to this trend.

Ultimately, preventing mobile fraud in enterprise environments necessitates a proactive approach to implementing robust mobile app security, anti-fraud, and anti-malware measures across Android and iOS apps, utilising cyber defence automation tools. Empowering developers within the enterprise setting to identify vulnerabilities and swiftly incorporate preemptive protections into mobile apps will ensure a resilient defence against attempts to exploit them for mobile fraud.