> In the beginning, the malicious app is started by the user. The app creates a full screen view in the foreground. A view is a rectangular area on the screen which is responsible for event handling and drawing. Additionally, it contains UI components such as buttons and text fields [13]. The malicious app opens the preinstalled Google Play Store app in the background. The view of the malicious app overlays the opened Google Play Store app. As a result, the user does not notice that the Google Play Store app is opened. The chargeable app of the attacker is selected in the Google Play Store app. Furthermore, the Google Play Store app contains the button Buy for 50 $.
Is this even possible? Android allows developers to "launch" other applications "behind" the foreground app, and click events actually make it back down to the target app? I find this hard to believe.
I don't know if it used to be possible, but it certainly isn't now by default. If you give accessibility permissions to an app, then it can draw overlays, but otherwise apps cannot overlay other apps.
I have an app installed that essentially draws over the entire view to darken the screen, while all interactions pass through transparently. It can't draw over certain areas, like some popups and the notification bar, but most of that wouldn't matter for malicious interactions.
While this is a pretty cool abuse of the Windows APIs, it seems to me from a first reading that it's not very "dangerous" compared to existing techniques for malware and ransomware to hide their activity. While the user imitating technique seems to have succeeded against typical anti-ransomware methods in a wide slate of antivirus products, these products already fail to detect and stop most actual ransomware in the wild. This is just another way to get around antivirus, and definitely one of the more complicated ones. And the user-imitating technique doesn't help against more advanced antivirus and EDR that analyzes the process tree and would immediately flag the wacky stuff they're doing with cmd.exe.
Is this even possible? Android allows developers to "launch" other applications "behind" the foreground app, and click events actually make it back down to the target app? I find this hard to believe.