TapJacking Attacks, a thorough guide


Or Continue to Part 2


Overlays are not something new in IT Security. Actually, the “Cloak & Dagger” which is based on these techniques is still considered as one of the most popular attacks that affected the Android Operating System [1]. But this is just the tip of the iceberg, since overlays are used by various types of malware including banking trojans, spyware, privilege escalation, ad-frauds or even ransomware [2,3,4,5]. While experience so far showed the opposite, the ability of an application to draw on top of others, is still not considered as dangerous. After all, vulnerabilities “playing” with the user interface were always considered as low hanging fruits. For the average user such an ability seems to be totally harmless, thus allowing an app to be able to overlay is just a click away.

An underestimated permission

The SYSTEM_ALERT_WINDOW (SAW) permission was added in API level 1 and was silently approved by the system up to API level 22. Including Lollipop (Android 5.1) the developer was free to use the permission without any kind of disclosure. Marshmallow (Android 6), requires the user to explicitly grant this permission through a management screen excluding the case where the target SDK has been set to lower than 23 [10] .

Free Floating Windows (FFW)

As the title implies, a free floating window is a category of windows that can appear freely above any other applications while its existence doesn’t depend on its parent. Additionally, its behaviour and appearance is fully customisable and controllable by the developer via the WindowManager.LayoutParams. Using the type attribute of this class the developer may request a priority in the mobile’s display layer, while using the flags attribute the event process customisation is also applicable [11].

By the time that SYSTEM_ALERT_WINDOW permission is approved, an application is authorised to create a TYPE_APPLICATION_OVERLAY window type. Since this has a priority between FIRST_APPLICATION_WINDOW and LAST_APPLICATION_WINDOW, the created window will be displayed on top of other activities, but below critical system ones (e.g. status bar or IME). As it is mentioned above, a flag attribute will affect the event processing behaviour of a window, so a flag FLAG_NOT_TOUCHABLE will dispatch the events to the window behind, while a FLAG_WATCH_OUTSIDE_TOUCH will inform the app about the event but will omit details like the touch coordinates. Of course a full range of appearance settings for the view that is going to be added to the window is still available including visibility, size and position.

Implementing a Floating Button

Let us first create a FFW that we are going to use in order to add our floating Button. Start an new Android Studio Project and add the following declaration in the manifest file:

<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>

As a second step, create a Button in your main activity using the code bellow:

Button floatingButton = new Button(getApplicationContext());

Let us now create a WindowManager and a LayoutParams instance using the following code:

int width = 400;   //FFW width 
int height = 400; //FFW height
WindowManager windowManager = (WindowManager) getSystemService(WINDOW_SERVICE);WindowManager.LayoutParams params = new WindowManager.LayoutParams(width, height,
WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE | WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE,

Finally, let us add our floatingButton to the FFW:

windowManager.addView(floatingButton, params);

In order to keep things tight lets manually enable the SAW permission:

  • Long press the application’s icon
  • Select “App info” and in the next screen select “Advanced”

Click on the “Display over other apps” option in order to enable the permission:

Re-Run the application and if everything was followed correctly, you will have the following result:

Just press the “Back” button to get rid of the MainActivity UI… and… congratulations, you have just created your first Floating Button. Feel free to navigate around, while your FFB remains on top of the other applications:


[1] https://www.kaspersky.com/blog/cloak-and-dagger-attack/16960/

[2] https://www.zdnet.com/article/this-new-malware-uses-remote-overlay-attacks-to-hijack-your-bank-account/

[3] https://labs.f-secure.com/advisories/privilege-escalation-via-adbd-misconfiguration/

[4] https://encyclopedia.kaspersky.com/glossary/overlay-attack/

[5] https://arstechnica.com/information-technology/2020/10/android-ransomware-has-picked-up-some-ominous-new-tricks/

[6] https://www.android.com/versions/oreo-8-0/

[7] https://android-review.googlesource.com/c/platform/system/sepolicy/+/588493

[8] https://www.theverge.com/2018/3/7/17091104/android-p-prevents-apps-using-mic-camera-idle-background

[9] https://developer.android.com/guide/components/activities/background-starts

[10] https://developer.android.com/reference/android/Manifest.permission#SYSTEM_ALERT_WINDOW

[11] https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=4724&context=sis_research

[12] https://developer.android.com/guide/background



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store