Description

Overlays are GUI elements of another application laid over the GUI of the protected app. Helpful overlays exist for purposes such as improving accessibility, or signaling new messages on an email app.

However, if the overlays are replacing elements like the input of username and password, overlays can be used to steal credentials or even to trick users into entering arbitrary data into malware apps, since the users believe they are still in the app they originally started.

Other examples of potential malicious use of overlays are keystroke logging or key injection. In the case of an alert, this detection has identified an overlay plus an additional indication such as an outgoing connection to command and control servers. Most of today’s malware that uses specific apps for key logging, SMS interceptions, or overlaying abuses the Android accessibility service.

Verimatrix malware detection reveals the app names which abuse the accessibility API on Android for malicious purposes and reports them.

Response Guidance

Overlay detection by malware should not happen in normal use. You should warn the affected app user and add an additional authentication or review of the affected users’ transactions to the application server. Ideally you would shut down the affected app.