Overlay Attacks¶
Drawing a fake UI on top of a legitimate app to steal credentials. The defining technique of Android banking malware since ~2016. The attacker creates a window that looks identical to a banking app's login screen, and the user types their credentials into the attacker's view.
Requirements
| Requirement | Details |
|---|---|
| Permission | SYSTEM_ALERT_WINDOW or BIND_ACCESSIBILITY_SERVICE |
| Trigger | Foreground app detection (knowing when to show the overlay) |
| Payload | HTML/WebView template matching the target app's UI |
How It Works¶
Foreground Detection¶
The malware needs to know when the user opens a target app. Methods used:
| Method | Android Version | Details |
|---|---|---|
getRunningTasks() |
Pre-5.0 | Deprecated, returns only caller's tasks on 5.0+ |
UsageStatsManager |
5.0+ | Requires PACKAGE_USAGE_STATS, polls every ~1 second |
| Accessibility events | 4.1+ | TYPE_WINDOW_STATE_CHANGED fires when any activity starts, most reliable |
ActivityLifecycleCallbacks |
Only for own process | Not useful for monitoring other apps |
Analyst Note
Accessibility is the preferred method: it's real-time, requires no polling, and the malware likely needs accessibility for other purposes anyway. If a sample requests BIND_ACCESSIBILITY_SERVICE, treat it as the likely overlay trigger mechanism.
Injection Display¶
When the target app is detected, the malware displays its overlay:
WebView approach (most common): a WebView loads an HTML page styled to match the target app. These HTML templates ("injects" or "webfakes") are downloaded from C2 per target app. Major malware operations maintain inject kits covering hundreds of banking apps across multiple countries.
Native View approach: Android View objects constructed programmatically. Less common because it's harder to maintain across app UI updates.
Full Activity approach: some families launch a full Activity with FLAG_ACTIVITY_NEW_TASK themed to look like the target. This doesn't require SYSTEM_ALERT_WINDOW but is less precise in timing.
Credential Capture¶
The injected form submits entered data to C2 via HTTPS POST. Captured fields typically include:
- Login credentials (username, password)
- Card numbers (PAN, CVV, expiry)
- PINs
- Security questions
Inject Kits¶
Malware-as-a-service (MaaS) operations sell or rent inject kits. An inject kit is a collection of HTML/CSS/JS files, one per target app, that mimic the target's login UI. These are versioned and updated when banks change their UI.
The C2 server maps package names to inject URLs:
com.chase.sig.android -> https://c2.example/injects/chase.html
com.bankofamerica.cashpromobile -> https://c2.example/injects/boa.html
The malware downloads only injects for apps found on the device (see QUERY_ALL_PACKAGES).
Evolution¶
| Era | Technique | Example Families |
|---|---|---|
| 2014-2016 | Simple overlays using TYPE_SYSTEM_ALERT |
GM Bot, BankBot |
| 2016-2018 | WebView-based injects, C2-managed templates | Marcher, Red Alert |
| 2018-2020 | Accessibility-triggered overlays, large inject kits | Cerberus, Anubis, Hydra |
| 2020-2022 | ATS (Automated Transfer System), overlay + accessibility combo | Anatsa, SharkBot, Xenomorph |
| 2022-2024 | Overlays declining as primary technique, replaced by full device control via accessibility | Hook, Octo/ExobotCompact |
| 2025 | On-device virtualization: real banking apps run inside malware-controlled sandbox | GodFather v3 |
| 2025 | NFC payment overlays: fake tap-to-pay screens capturing card data | Hook v3 |
The trend is away from pure overlay attacks toward on-device fraud using accessibility to operate the real banking app directly. Overlays are still used for initial credential capture, but the real value is in accessibility-based ATS. The most recent evolution (GodFather v3) bypasses overlays entirely by running the real banking app inside a virtual environment and intercepting all interactions at runtime.
Android Mitigations¶
Every mitigation pushed malware toward heavier reliance on accessibility services
| Version | Mitigation | Bypass |
|---|---|---|
| Android 8 | TYPE_APPLICATION_OVERLAY renders below permission dialogs |
Attacker doesn't need to overlay permission dialogs |
| Android 10 | Overlays can't appear over focused app activities | Accessibility gestures bypass this entirely |
| Android 12 | FLAG_WINDOW_IS_PARTIALLY_OBSCURED warns apps of overlays |
Most apps don't check this flag |
| Android 12 | Overlays untouchable over system dialogs | Accessibility service performs the touches instead |
Families Using This Technique¶
| Family | Overlay Approach | Inject Kit Size | Also Uses ATS |
|---|---|---|---|
| Cerberus | WebView | 300+ targets | No |
| Anubis | WebView | 250+ targets | No |
| BankBot | Activity | 50+ targets | No |
| Hydra | WebView | 400+ targets | No |
| Hook | WebView | 400+ targets | Yes |
| GodFather | WebView | 400+ targets | No |
| Ermac | WebView | 400+ targets | No |
| Xenomorph | WebView | 400+ targets | Yes |
| Octo | WebView | 200+ targets | Yes |
| Alien | WebView | 200+ targets | No |
| Medusa | WebView | 100+ targets | No |
| SharkBot | Native | 20+ targets | Yes |
| Zanubis | WebView | 40+ targets | Yes |
| Fakecalls | WebView | Korean banks | No |
| Mamont | WebView | Russian banks | No |
| Copybara | WebView | Italian banks | Yes |
| Crocodilus | WebView | 8 countries | Yes |
| BingoMod | WebView | European banks | Yes |
| Brokewell | WebView | European banks | Yes |
| Klopatra | WebView | Turkish banks | Yes |
| Albiriox | WebView | 400+ targets | Yes |
| Herodotus | WebView | Southern/Central EU | Yes |
| GoldPickaxe | WebView | Thai/Vietnamese banks | No |
| Sturnus | WebView | Southern/Central EU | Yes |
| Antidot | WebView | Multi-language | Yes |
| TrickMo | WebView | European banks | No |
| TsarBot | WebView | 750+ targets | Yes |
| BlankBot | WebView | Turkish banks | Yes |
| Vultur | Native | European banks | Yes |
| Chameleon | WebView | AU/EU banks | No |
| ToxicPanda | WebView | EU/LATAM banks | Yes |
| Frogblight | WebView | Turkish banks | Yes |
| BTMOB RAT | WebView injection (brows command) |
Crypto/banking | Yes |
| Rafel RAT | Activity-based | Multi-region | No |
| RatOn | WebView | Czech banks | Yes |
| DeVixor | WebView | Iranian banks | No |
Notable exceptions: Gigabud and Vultur v1 deliberately avoid overlay attacks, using screen recording instead to capture credentials as the victim interacts with their real banking app. NGate uses a phishing WebView for card PIN entry rather than traditional banking overlays.
Detection During Analysis¶
Static Indicators
SYSTEM_ALERT_WINDOWin manifestTYPE_APPLICATION_OVERLAYin codeUsageStatsManagercalls for foreground detection- WebView loading local HTML or C2-hosted URLs
- Accessibility service monitoring
TYPE_WINDOW_STATE_CHANGED
Dynamic Indicators
- Window created with overlay type when a banking app is foregrounded
- Network request to C2 matching pattern of inject download
- HTML files stored in app's internal storage matching banking app names