The rise of mobile app overlay attacks and how to defend against them [Q&A]
A major new threat has made its presence felt in the last few months. Cybercriminals have expanded the use of screen spoofing or overlay attacks from web applications to trusted mobile apps.
What’s more, the availability of as-a-service technology has lowered the threshold for attacks. We spoke to Dr. Klaus Schenk, SVP security and threat research at Verimatrix, to learn more about how these attacks work and what can be done to guard against them.
BN: How have overlay attacks evolved and extended to mobile applications in recent years?
KS: Overlay attacks surfaced as early as computers had monitors and login prompts. Simple text based screens emulating the login prompt have been early forms of an overlay.
These attacks have been reinvented, adapted, and improved ever since as a continuous threat. It has made its presence known its presence to mobile apps in a big way in the past year, becoming more dangerous with bad actors significantly increasing the efficiency of these attacks, by automation and by embedding these attacks in a framework of a chain of fine-tuned exploit abuse and attack methods. Looks can be deceiving -- and that's especially true with these types of screen spoofing/overlay threats. Today, cybercriminals have expanded what was once largely limited to well-known overlay attacks on web applications to users' mobile devices, and more specifically, their highly trusted mobile apps.
To make matters worse, new criminal 'services' have lowered the entry threshold for attacks significantly. These fast-growing overlay attacks mark a renewed need for user vigilance and greater app development security precautions. The services include the generation of the overlays looking exactly like the originals, services to build the malicious apps doing the chain of attacks, offering ways to inject these malicious apps onto the phones, and to control servers to collect data from these malicious apps. Additional services comprise of interception of one time passwords (OTPs) from text messages, tricking authenticators doing multi factor authentication, and locking the phone to prevent the target from taking counter measures. New attack frameworks even offer to remove all popular endpoint protection and Anti-Virus software from the phone.
BN: How do mobile application overlay/screen spoofing attacks work? Could you offer an example?
KS: Overlay attacks trick users into putting their data into what looks like their legitimate banking or media application, then the malicious work begins in earnest -- literally covering up part of the legitimate app with attacker-controlled screens that can capture logins, passwords, one-time codes, complete credit card data, banking transactions, and credit card transactions -- all of it can be gathered by the cybercriminals and accounts can be abused or resold.
The malicious app carrying the code for the overlay attack is often injected into the target device by so called dropper apps. These dropper apps wrap the malicious code by useful, mostly free utilities, like QR code readers, pdf readers, unit converters, etc.
This malicious app has a 'dark side'. Let's use a banking app as an example. If the device does not have the targeted legitimate banking app installed and launched, the malicious app won't do anything malicious. However, if the user has the targeted app on their phone, this malicious app will run in the background, waiting for that targeted app to be launched by the victim.
As soon as the victim launches the targeted banking app, the malicious app detects it and quickly takes over the screen. Typically, it will display a screen that is identical to the app's login screen on top of the app's login screen, and to the victim, it looks identical to the normal operation they’re used to experiencing. The targeted app is launched, and the login screen is shown. The victim has no way to know that the malicious app is overlaying their banking app’s input screen and is listening to all the user's inputs. Variants of this attack take over the input screen and ask later to renew or add credit card data after login, or they add similar fake requests that trick the user into exposing private data.
The victim enters their valid credentials, which are collected by the malicious app that sends them to a so-called Command and Control server. If OTP authentication is required (e.g., by a text message you get that provides a required temporary number), then the malicious app grabs that number and sends it to the Command and Control server. At that point, the Command and Control server has all the information needed to take over the victim’s bank account. Using so called reverse proxies can help the attacker conduct the OTP abuse in real time, without being affected by OTP timeouts.
Depending on the attacker's strategy and target of theft, the malicious app will either just let the user continue with their app (and abuse, for example, the stolen credit card data) or force the targeted user to restart the process by crashing the legitimate app and not take over the login screen in the next attempt. Banks often send messages to alert users of activity on their accounts. Depending on the level of control the malicious app has obtained, to make sure the user does not receive these messages, some variants of the malicious app can take over the phone and disable all user interfaces. The victim cannot access any app, cannot receive calls, cannot place calls, etc. The victim cannot even reset or restart the device. With some variants of these attacks, the phone is only released from the malicious app’s grip after the battery is drained, recharged, and rebooted.
BN: Who needs to be aware of these threats and are there any specific mobile operating systems that have come more vulnerable to them?
KS: Mobile app developers need to take heed, as these threats take advantage of the innate confidence that big brands enjoy when users rely on their associated mobile apps. And now that mobile apps connect to your critical infrastructure, CISOs need to better understand how this weak link in their security defenses could easily take the organization down -- and how to prevent this.
These threats mainly affect Android devices. A typical way for the attacker to enter the targeted user’s device is to bait the Android user into downloading an app that has a malicious payload (usually a free game, a video editing app, a flashlight app, etc.). This is a malicious app. There are other ways to inject malicious code, like zero-day attacks that exploit, e.g., recent zero day vulnerabilities on some Nexus and Samsung devices, to allow an attacker to enter a mobile device just by knowing the target's phone number.
BN: How do overlay attack differ to other mobile threats?
KS: Overlay attacks are complex and take advantage of a mobile app that isn’t properly monitored by its developer or its operator. The needed intelligence to stop such attacks is available -- it's just not yet deployed by most developers at the onset of their deployment. With modern attack frameworks now removing standalone endpoint protection and anti-malware apps, moving this protection, and monitoring into the app becomes inevitable.
The 'professionalism' surrounding mobile app-involved attacks is unprecedented in 2023, and the developer-deployed defenses need to be just as powerful as the threats they face. Otherwise, users will become disgruntled -- and brands will become tarnished. Security as a differentiator will be key, especially given the not-so-distant hindsight that will undoubtedly rear its head.
BN: What is the main motivator for threat actors to carry out mobile overlay attacks?
KS: These overlay attacks (also known as 'UI redress attacks' or 'web injects') are now common offerings. Since September 2022, a new dark web store began to surface, allowing attackers to conduct this attack via many different attack plugins for only $30.00. These plugins work with a set of widely used attack frameworks, like Hydra, Alien, or Cerberus. Lowering the entry threshold to that low price is a game changer. It's making the attack much more dangerous.
Indeed, the low $30.00 plugin price isn't a criminal's only related 'investment', but it's clearly a driver for its growth. That plugin that’s targeting a specific app needs to be placed into a framework that helps provide the malicious app with ways to trick the victim into installing the app and the Command and Control server. These attack frameworks cost between $1,000-$2,000 per month on the low end and $7000 on the higher end and can be reused many times. The newer and more expensive attack frameworks usually support attacks more topical versions of phones and platforms.
BN: How are organization's responding to the surge in these kinds of attacks and how can they maximize mobile application protection?
KS: In response, companies are spending big to preventively protect their apps, just as they've done so with authentication in recent years. However, many apps remain unprotected, and users still don't have visibility into what’s potentially happening to their apps and on the affected devices. As mentioned above, some attack frameworks are even removing the device protection.
Unfortunately, most apps simply aren't protected, and for some of the attacks, there is often no protection available on the platform, or the platform protection is removed as part of the attack, so the best defence is for organisations to adopt an Extended Threat Defence solution as well as encourage users to look out for the actual malicious overlay technique while they’re using their apps. It's difficult to spot because the fake app acts like the legitimate one -- and that's exactly what cybercriminals bank on happening in their favour. Once that goes unnoticed, there's nothing to immediately alarm the affected end user that their private information is likely on its way out the door.