Understanding and Detecting Overlay-based Android Malware at Market Scales

“…The sensitive system services that do have the signature permissions then check such settings to determine whether a requesting app is entitled to have access to such sensitive permission-protected information. We also note that not only is it possible to access information protected by these signature-level permissions, but that many real-world apps (both benign and malicious) currently use them [20], [35], [5]. Thus, since third-party applications may require some of these permissions, we believe it is appropriate to consider them within our threat model.…”

“…Hence, the only available attack vector for the malware is to rely on the APIs protected by the well known BIND_ACCESSIBILITY_SERVICE permission (a11y) [12]. As it is possible to see, some sophisticated malware like Bankosy, Cepsohord, and MysteryBot started moving from the a11y towards exploiting vulnerable APIs protected by the PACKAGE_USAGE_STATS [20], [35], [5]. This transition might also be forced by the fact that Google is going to remove all the applications using the BIND_ACCESSIBILITY_SERVICE permission for anything except helping disabled users [8].…”

Preventing and Detecting State Inference Attacks on Android

“…The sensitive system services that do have the signature permissions then check such settings to determine whether a requesting app is entitled to have access to such sensitive permission-protected information. We also note that not only is it possible to access information protected by these signature-level permissions, but that many real-world apps (both benign and malicious) currently use them [20], [35], [5]. Thus, since third-party applications may require some of these permissions, we believe it is appropriate to consider them within our threat model.…”

“…Hence, the only available attack vector for the malware is to rely on the APIs protected by the well known BIND_ACCESSIBILITY_SERVICE permission (a11y) [12]. As it is possible to see, some sophisticated malware like Bankosy, Cepsohord, and MysteryBot started moving from the a11y towards exploiting vulnerable APIs protected by the PACKAGE_USAGE_STATS [20], [35], [5]. This transition might also be forced by the fact that Google is going to remove all the applications using the BIND_ACCESSIBILITY_SERVICE permission for anything except helping disabled users [8].…”

Preventing and Detecting State Inference Attacks on Android

“…An overlay is a feature of user interfaces: A mobile app is able to place an additional view layer over another app's view layer [16], [17]. With the overlay feature, interacting with multiple opened apps at the same time shall become more comfortable for the user [18]. However, an overlay is able to intercept user input such as key events that was originally intended for the underlying view (other app).…”

“…It is worth noting that the trojan is not scanning the banking app's view to copy its appearance. In fact, the view appearance was predefined during trojan creation [18].…”

“…Hence, the user becomes suspicious. The user is able to interact with the overlay of the banking trojan and the foreground view of the tabjacking attack because both views contain UI elements [8], [18]. As such, the user perceives a reaction to their input such as an inserted character in a text field induced by a key event.…”

Phantom Malware: Conceal Malicious Actions From Malware Detection Techniques by Imitating User Activity

Shaping Our Mental Model of Security