Merge branch 'master' of https://github.com/carlospolop/hacktricks

carlospolop · carlospolop · commit 454ae145a7f2 · 2026-01-26T11:47:29.000+01:00
diff --git a/src/mobile-pentesting/android-app-pentesting/tapjacking.md b/src/mobile-pentesting/android-app-pentesting/tapjacking.md
@@ -10,15 +10,38 @@ In effect, it is **blinding the user from knowing they are actually performing a
 
 ### Detection
 
-In order to detect apps vulnerable to this attacked you should search for **exported activities** in the android manifest (note that an activity with an intent-filter is automatically exported by default). Once you have found the exported activities, **check if they require any permission**. This is because the **malicious application will need that permission also**.
-
-You can also check the minimum SDK version of the app, checking the value of **`android:minSdkVersion`** in the **`AndroidManifest.xml`** file. If the value is **lower than 30**, the app is vulnerable to Tapjacking.
+* Look for **exported activities** in the Android manifest (an activity with an intent-filter is exported by default). If an exported activity is protected by a permission, the attacking app will need the **same permission**, which limits exploitability.
+* Check the **minimum SDK** version `android:minSdkVersion` in `AndroidManifest.xml`. If it is **lower than 30**, older default behaviors may make tapjacking easier to exploit.
+* At runtime, use `logcat` to spot blocked touches on Android 12+: the system logs `Untrusted touch due to occlusion by <package>` when overlays are filtered.
 
 ### Protection
 
-#### Android 12 (API 31,32) and higher
+#### Android 12+ default blocking & compat flags
+
+Android 12 (API 31) introduced **"Block untrusted touches"**: touches coming from another UID window of type `TYPE_APPLICATION_OVERLAY` (opacity ≥0.8) are dropped. This is enabled by default. During tests you can toggle it:
+
+```bash
+# disable blocking for a specific package (for PoC crafting)
+adb shell am compat disable BLOCK_UNTRUSTED_TOUCHES com.example.victim
+# re‑enable
+adb shell am compat reset BLOCK_UNTRUSTED_TOUCHES com.example.victim
+```
+
+Trusted windows (accessibility, IME, assistant) still receive events. Invisible or fully transparent overlays also bypass the block, which attackers try to abuse by keeping `alpha < 0.8`.
+
+#### Handling **partial occlusion**
+
+Partial overlays that leave the target area visible are not auto-blocked. Mitigate in sensitive views by rejecting events with the **`FLAG_WINDOW_IS_PARTIALLY_OBSCURED`** flag:
 
-[**According to this source**](https://www.geeksforgeeks.org/tapjacking-in-android/)**,** tapjacking attacks are automatically prevented by Android from Android 12 (API 31 & 30) and higher. So, even if the application is vulnerable you **won't be able to exploit it**.
+```java
+@Override
+public boolean onFilterTouchEventForSecurity(MotionEvent event) {
+    if ((event.getFlags() & MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED) != 0) {
+        return false; // drop tap when anything partially obscures us
+    }
+    return super.onFilterTouchEventForSecurity(event);
+}
+```
 
 #### `filterTouchesWhenObscured`
 
@@ -65,6 +88,16 @@ The mitigation is relatively simple as the developer may choose not to receive t
 
 ---
 
+### Recent overlay-based malware techniques
+
+* **Hook/Ermac variants** use nearly transparent overlays (e.g., fake NFC prompts) to capture gestures and lock-screen PINs while forwarding touches underneath, delivered via Accessibility-ATS modules.
+* **Anatsa/TeaBot droppers** ship overlays for hundreds of banking/crypto apps and show full-screen "maintenance" overlays to stall victims while ATS completes transfers.
+* **Hidden-VNC banking RATs** briefly display phishing overlays to capture credentials, then rely on covert VNC plus Accessibility to replay taps with fewer on-device artifacts.
+
+Practical takeaway for red teams: mix an `alpha < 0.8` overlay to bypass Android 12 blocking, then escalate to a full-screen accessibility overlay once the user toggles the service. Instrument `GestureDescription` or a headless VNC to keep control after credentials are captured.
+
+---
+
 ## Accessibility Overlay Phishing (Banking-Trojan Variant)
 
 Besides classic Tapjacking, modern Android banking malware families (e.g. **ToxicPanda**, BrasDex, Sova, etc.) abuse the **Accessibility Service** to place a full-screen WebView **overlay** above the legitimate application while still being able to **forward the user input** to the view underneath.  This dramatically increases believability and allows attackers to steal credentials, OTPs or even automate fraudulent transactions.
@@ -101,9 +134,6 @@ wm.addView(phishingView, lp);
 * From the application side (bank / wallet):
   - Enable **`android:accessibilityDataSensitive="accessibilityDataPrivateYes"`** (Android 14+) on sensitive views to block non-Play-Store services.
   - Combine with `setFilterTouchesWhenObscured(true)` and `FLAG_SECURE`.
-* System hardening:
-  - Disable *Install from Unknown Sources* & *Accessibility for untrusted apps*.
-  - Enforce PlayProtect & up-to-date devices.
 
 For additional details on leveraging Accessibility Services for full remote device control (e.g. PlayPraetor, SpyNote, etc.) see:
 
@@ -113,6 +143,7 @@ accessibility-services-abuse.md
 {{#endref}}
 
 ## References
-* [Bitsight – ToxicPanda Android Banking Malware 2025 Study](https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study)
+* [Android Developers – Tapjacking risk & mitigations (updated 2024)](https://developer.android.com/privacy-and-security/risks/tapjacking)
+* [Zimperium – HOOK v3 overlay expansion (Aug 2025)](https://thehackernews.com/2025/08/hook-android-trojan-adds-ransomware.html)
 
 {{#include ../../banners/hacktricks-training.md}}
