diff --git a/src/mobile-pentesting/android-app-pentesting/tapjacking.md b/src/mobile-pentesting/android-app-pentesting/tapjacking.md index e099b324a..0486eb4d8 100644 --- a/src/mobile-pentesting/android-app-pentesting/tapjacking.md +++ b/src/mobile-pentesting/android-app-pentesting/tapjacking.md @@ -63,8 +63,49 @@ The mitigation is relatively simple as the developer may choose not to receive t > > To enable touch filtering, call [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window. +--- -{{#include ../../banners/hacktricks-training.md}} +## Accessibility Overlay Phishing (Banking-Trojan Variant) +Besides classic Tapjacking, modern Android banking malware families (e.g. **ToxicPanda**, BrasDex, Sova, etc.) abuse the **Accessibility Service** to place a full-screen WebView **overlay** above the legitimate application while still being able to **forward the user input** to the view underneath. This dramatically increases believability and allows attackers to steal credentials, OTPs or even automate fraudulent transactions. +### How it works +1. The malicious APK requests the highly-sensitive `BIND_ACCESSIBILITY_SERVICE` permission, usually hiding the request behind a fake Google/Chrome/PDF-viewer dialog. +2. Once the user enables the service, the malware programmatically simulates the taps required to grant additional dangerous permissions (`READ_SMS`, `SYSTEM_ALERT_WINDOW`, `REQUEST_INSTALL_PACKAGES`, …). +3. A **WebView** is inflated and added to the window manager using the **`TYPE_ACCESSIBILITY_OVERLAY`** window type. The overlay can be rendered totally opaque or semi-transparent and can be flagged as *“through”* so that the original touches are still delivered to the background activity (thus the transaction really happens while the victim only sees the phishing form). +```java +WebView phishingView = new WebView(getApplicationContext()); +phishingView.getSettings().setJavaScriptEnabled(true); +phishingView.loadUrl("file:///android_asset/bank_login.html"); + +WindowManager wm = (WindowManager) getSystemService(WINDOW_SERVICE); +WindowManager.LayoutParams lp = new WindowManager.LayoutParams( + WindowManager.LayoutParams.MATCH_PARENT, + WindowManager.LayoutParams.MATCH_PARENT, + WindowManager.LayoutParams.TYPE_ACCESSIBILITY_OVERLAY, // <-- bypasses SYSTEM_ALERT_WINDOW prompt + WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE | + WindowManager.LayoutParams.FLAG_NOT_TOUCH_MODAL, // «through» flag → forward touches + PixelFormat.TRANSLUCENT); +wm.addView(phishingView, lp); +``` + +### Typical workflow used by banking Trojans +* Query installed packages (`QUERY_ALL_PACKAGES`) to figure out which banking / wallet app is currently opened. +* Download an **HTML/JS overlay template** from the C2 that perfectly imitates that specific application (Logo, colours, i18n strings…). +* Display the overlay, harvest credentials/PIN/pattern. +* Use the **Accessibility API** (`performGlobalAction`, `GestureDescription`) to automate transfers in the background. + +### Detection & Mitigation +* Audit the list of installed apps with `adb shell pm list packages -3 -e BIND_ACCESSIBILITY_SERVICE`. +* From the application side (bank / wallet): + - Enable **`android:accessibilityDataSensitive="accessibilityDataPrivateYes"`** (Android 14+) on sensitive views to block non-Play-Store services. + - Combine with `setFilterTouchesWhenObscured(true)` and `FLAG_SECURE`. +* System hardening: + - Disable *Install from Unknown Sources* & *Accessibility for untrusted apps*. + - Enforce PlayProtect & up-to-date devices. + +## References +* [Bitsight – ToxicPanda Android Banking Malware 2025 Study](https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file