Android: Tapjacking is Back on Marshmallow

Tapjacking, an ‘exploit’ that used overlays on android to display an attractive page/ fake UI to trick users into downloading malicious apps, visiting unwanted sites, etc

This had been widely used since around 2012 till Android Marshmallow came with permissions, and also not allowing you to interact with dialogues if a screen overlay is detected.

But ‘iwo’ on Github has uploaded a sample project that demonstrates the workings of a new way of tapjacking.

One that uses toast views to cover the text on the permissions dialogue. What’s tricky is , toast views display only for a set amount of time and then disappear, this has been solved by using a timer, a tool provided by the Android SDK, that makes the toast reappear right about when the previous one disappears, creating a static image. An end user is easily tricked into tapping allow, thus giving malicious code access to the device’s resources.

Normal Permission Dialogue

Dialogue With The Toast Covering It

images: iwo/Github 

So that’s how simply the illusion is created and the user is fooled into doing what the maker of the app wants.

Another such vulnerability was reported by iwo in May 2015 but it was overlooked and so were the patches that he submitted to AOSP. You can go and check the app/code out here and look into other projects by iwo here.

So let’s hope google takes this seriously and a fix is included in the patch.

 

That’s all for this post. Hoping you enjoyed it.

Stay tuned for more, i’ll be back later.

 

Demolasher36, signing out for now..