At my current work, I am working with Android devices to detect overlays. The reason for this research are current attacks that abuse the Android SDK to deceive the user and trick into giving more permissions to a malicious app. The attacks are named Cloak & Dagger and I recommend watching the YouTube videos on the linked page for an idea how the attacks work.
Anyway, the attacks use and abuse the “Draw on top” permission of apps. This permission is used by a lot of apps for different use cases. Facebook has those chat heads that show contacts on top of all apps.
There is also the Twilight app which uses an overlay over the whole screen. So, there are a lot of legitimate uses for overlays.
The problem is: Overlays are very flexible, and you can use them to:
- Track touches on the screen (e.g. record keystrokes, passwords)
- Make the user click on any button
- Prevent the user from clicking a button (e.g. “uninstall button”)
- Block the screen and ask for money to unlock (so-called ransomware)
Google introduced some security measures to ensure that such attacks won’t work, such as a more restrictive permission model. From Android 6 on, users have to explicitly enable this feature for every app. Of course, once this permission was given, it is difficult to undo.
The Cloak & Dagger attacks demonstrate how easy it is to escalate the permissions after getting an overlay. And, as long as Google does not improve the API, the question remains: How can attacks on apps be detected or prevented?
At the end of the day, it is an issue which can be easily solved by Google, and it is only a matter of time until they recognize the problem and offer a solution. The API already offers some solutions, but these are reserved for system apps (called “privileged”):
- The permission is called MANAGE_APP_OPS_RESTRICTIONS and is a privileged permission, which means that only (preinstalled) system apps can use it.
- The above permission can be used to call the AppOpsManager.setUserRestriction() method to allow or disallow overlays.
- See the AOSP source code for the “Settings” app to see how this is implemented (or the Google code here).
- You can see how this works if you have an overlay and open the permissions page for any app. The overlays will disappear for the time the activity is open, and reappear after you close it.
Maybe we, as a community, can pressure Google into making that specific API public.