The run-time permission model on Android Marshmallow was supposed to make Android devices secure from apps gathering unnecessary information. However, it has been brought to public attention that some malicious apps on Marshmallow have found a way to tapjack your actions into granting them a permissions which you never explicitly granted.

For a malicious app to tapjack your device, it’ll need the screen overlay permission (Permit drawing over other apps). And once it has the permission, it can potentially trick you into feeding sensitive data. For example, a malicious app with screen overlay permission could place a fake password input on top of a real login screen in order to collect your passwords.

How Tapjacking Works

Developer Iwo Banaś created an application to demonstrate the exploit. It works like this:

  • When an app asks for permissions, the malicious app will cover up the original app’s permission box with whatever permissions it wants
  • If a user then taps “Allow” on the malicious app’s overlay, he/she will grant it the permission that could potentially risk data on their device. But they won’t know about it.

The folks over at XDA, did a test to check which of their devices are vulnerable to the tapjacking exploit. Below are the results:

  • Nextbit Robin – Android 6.0.1 with June security patches – Vulnerable
  • Moto X Pure – Android 6.0 with May security patches – Vulnerable
  • Honor 8 – Android 6.0.1 with July security patches – Vulnerable
  • Motorola G4 – Android 6.0.1 with May security patches – Vulnerable
  • OnePlus 2 – Android 6.0.1 with June security patches – Not Vulnerable
  • Samsung Galaxy Note 7 – Android 6.0.1 with July security patches – Not Vulnerable
  • Google Nexus 6 – Android 6.0.1 with August security patches – Not Vulnerable
  • Google Nexus 6P – Android 7.0 with August security patches – Not Vulnerable

via xda

XDA folks also created APKs to let other users test if their Android devices running on Android 6.0/6.0.1 Marshmallow are vulnerable to Tapjacking. Download the apps APKs (Tapjacking and Tapjacking service helper apps) from the download links below and follow the instructions to check Tapjacking vulnerability on your device.

Download Tapjacking (.apk) Download Tapjacking service (.apk)

How to Check Tapjacking Vulnerability on Android Marshmallow and Nougat devices

  1. Install both marshmallow-tapjacking.apk and marshmallow-tapjacking-service.apk files on your device.
  2. Open Tapjacking app from your app drawer.
  3. Tap on TEST button.
  4. If you see a text box float on top of the permission window that reads “Some message covering the permission message”, then your device is vulnerable to Tapjacking. See screenshot below: Left: Vulnerable | Right: Not vulnerable
  5. Clicking Allow will show all your contacts like it should. But if your device is vulnerable, not only you have given access to contacts permission but some other unknown permissions as well to the malicious app.

If your device is vulnerable, be sure to ask your manufacturer to release a security patch to fix the Tapjacking vulnerability on your device.

How to Safeguard yourself from Tapjacking Vulnerability

If your device has tested positive for the Tapjacking vulnerability, we would advise you to not give Permit drawing over other apps permission to apps that you do not fully trust. This permission is the only gateway for malicious apps to take advantage of this exploit.

Also, always ensure that the apps you install on your device come from a trusted developer and source.

via xda