TapJacking Attacks, a thorough guide PART 2

Continue to Part 3

Recap

In PART 1 of this tutorial we went trough some basic theoretical concepts such as the Free Floating Windows (FFW), the SYSTEM_ALERT_WINDOW permission (SAW) and the Android’s Window Manager. Finally we created an application that implements an FFW and added a Button to it. In this part we are going to go a little bit further and play with the “look and feel” of our “construction” , starting to understand how this feature can be abused in a malicious way.

Parental (Un)Control

Before we start, let’s first add a single line of code that will help us get rid of the main activity and give a sense of independency to our FFW. According to Android Developers documentation, the onBackPressed() is called when an activity has detected the user’s press of the back key. The default implementation simply finishes the current activity, but you can override this to do whatever you want. We can manually call this function and finish our main activity by simply adding the function name at the end of the onCreate function.

An activity thought that gets in the background, doesn’t really disappear as it can be brought back in the foreground by simply clicking the phone’s “middle button” and selecting the activity from the recents stack. This behaviour can overwritten by adding the following entries in the Android Manifest:

The autoRemoveFromRecents will remove the activity from the recents screen, while the noHistory will (really) finish the MainActivity:

Screen Placing

The location of our view in the screen can be set by using the gravity field of the LayoutParams instance or if we want to be more precise we may also use the x,y fields of the aforementioned class. There are multiple that may be assigned to the gravity field, but it is out of the scope of this write up, thus we are going to narrow down to the basics. More specifically we are going to use the TOP |BOTTOM | CENTER | LEFT| RIGHT constants or a combination of them to place the FFW in a desired position:

Getting to the point, our code may be modified as follows:

The LayoutParams can be even more precise when it comes to screen placing. Considering as x=0,y=0 representing the coordinates in the centre of the screen, we may move the FFW by simply setting the x,y field of the LayoutParams instance:

Replace the params.gravity = Gravity.BOTTOM| Gravity.RIGHT in our code with the following lines:

Now try to move the FFW by setting values across the x,y axis:

How do I look ?

When it comes to TapJacking attacks one of the most important things that comes to my mind is the “look” of the FFW. At this point we have to handle the Layout’s look as well as the view that we are attaching on it. Starting from the layout parameters, the PixelFormat parameter is way to go. As in the ‘Gravity’ case the choices are a lot, but we will use just a few of them for the sake of simplicity.

In our android application, modify the buttons visibility by calling the setAlpha function and setting its parameter to 0. As a second step modify the PixelFormat of the LayoutParams to PixelFormat.OPAQUE. Our code should now be as follows:

Run the application again and ‘enjoy’ a black void in the middle of the screen.

Since this doesn’t help a lot, lets modify the PixelFormat once again, setting it to TRANSPARENT this time. What do you see ?

Not seeing it, doesn’t mean that it is not there

You have just created an invisible view just in the middle of the screen which will stay on top of other applications even when your main activity is finished.

If this doesn’t ring any bell, start playing with the button’s setAlpha function setting values from 0 to 1 to see what happens:

Finally use the button’s setBackgroundColor to change to the colour of your choice:

Summary

At this part we moved a step a head and started playing with the Look of the FFW that we have created in PART 1. Stay tuned as in the next part we are going to modify the behaviour of our FFW and start ‘playing’ with more advanced looks, using the LayoutInflater.

Security Researcher, former Camel Rider, developer of https://github.com/Ch0pin/medusa