Threat Intelligence

Screen Overlay & Clickjacking Fraud

Severity: criticalUI DeceptionPresentation Layer

Affected: Mobile Banking · Payments · Crypto Wallets

Threat IntelligenceFraud / ATSUI LayerAndroid Critical

Overlay malware draws invisible or deceptive layers over banking UI, tricking users into authorizing transfers or revealing credentials while believing they interact with the legitimate app.

Low

Attack Complexity

SYSTEM_ALERT_WINDOW

9.0/10

Exploitability

Banking trojan kits

Critical

Fraud Risk

Direct fund loss

High

Regulatory Impact

Fraud control exams

Analyze APK →View Banking Mandates →Download Executive Brief →

Attack chain

Typical exploitation path in mobile banking

1Trojan install

2Overlay grant

3Bank app open

4Tap hijack

5Fraud transfer

Kill Chain

How this attack happens

End-to-end attack timeline observed in mobile banking incidents.

Step 1

Malware install

Trojan sideloaded or delivered via phishing.

Step 2

Overlay permission

SYSTEM_ALERT_WINDOW or accessibility abuse granted.

Step 3

Banking app launched

User opens legitimate banking app.

Step 4

Fake UI overlay

Invisible layer intercepts taps on Confirm / Pay.

Step 5

Unauthorized transfer

Malware confirms attacker-controlled transaction.

Business Impact

Impact on financial institutions

Operational, financial and regulatory consequences for BFSI.

Estimated severity

critical

critical impact

Unauthorized Transfers

Direct financial loss from hijacked confirmations.

critical impact

Credential Harvesting

Fake login overlays capture PIN/password.

high impact

Regulatory Scrutiny

Fraud control deficiencies in examinations.

high impact

Brand Damage

Customers blame bank for malware losses.

critical impact

ATS Fraud Growth

Automated transfer systems scale attacks.

SOC Intelligence

Observed risk signals

Typical APK assessment findings mapped to this threat.

Live assessment index

critical

FLAG_SECURE missing on payment screen

Screenshots and overlays possible.

high

No overlay detection SDK

Cannot detect SYSTEM_ALERT_WINDOW abuse.

high

Accessibility abuse surface

a11y service can automate taps.

medium

No touch event validation

Cannot distinguish synthetic taps.

Detection

How MobAIsec detects this threat

Four-phase governance pipeline — deterministic evidence only.

Phase 1

Static Analysis

›FLAG_SECURE on sensitive activities
›Overlay detection library presence
›Touch filtering implementation

Phase 2

Runtime Intelligence

›Active overlay window detection
›Accessibility correlation
›Tap origin validation

Phase 3

Governance Mapping

›MASVS-RESILIENCE-1
›CBUAE fraud controls
›EU PSD2 fraud

Phase 4

Evidence Collection

›Activity-level FLAG_SECURE audit
›Permission model review

Static Analysis→Runtime Intelligence→Governance Mapping→Evidence Collection

Mitigation

Recommended banking controls

Layered defenses with coverage, effort and effectiveness ratings.

FLAG_SECURE

Coverage: High

Protects: Screenshot + some overlay classes

Effort

Low

Effectiveness

75%

Apply on auth, OTP, payment and confirmation screens.

Overlay Detection (RASP)

Coverage: Very High

Protects: Active overlay windows

Effort

High

Effectiveness

90%

Promon / Approov — banking standard for Android.

Accessibility Risk Scoring

Coverage: High

Protects: ATS automation

Effort

Medium

Effectiveness

80%

Do not blanket-block a11y — use fraud analytics.

Transaction Signing

Coverage: Very High

Protects: Out-of-band confirmation

Effort

High

Effectiveness

92%

Hardware token or push signing defeats UI-only overlays.

Regulatory Intel

Banking regulations requiring this protection

Compliance confidence and mapped control counts per jurisdiction.

UAE

CBUAE

mandatory

Compliance confidence94%

12 mapped controls

View mandate →

India

RBI

recommended

Compliance confidence88%

9 mapped controls

View mandate →

Singapore

MAS

required

Compliance confidence96%

11 mapped controls

View mandate →

EU

EBA / PSD2

required

Compliance confidence91%

10 mapped controls

View mandate →

United States

FFIEC

strongly recommended

Compliance confidence85%

8 mapped controls

View mandate →

Framework Alignment

Security framework alignment

How this threat maps across MASVS, OWASP Mobile, PCI DSS, PSD2, NIST and DORA.

Control	MASVS	OWASP Mobile	PCI DSS	PSD2	NIST	DORA
Overlay prevention	●	◐	○	◐	◐	◐
Screen protection	●	◐	○	○	●	●
Fraud controls	◐	◐	◐	●	●	●

Executive Summary

Executive risk summary

Board-ready risk dimensions and impact heatmap.

Lower = higher residual risk

Likelihood90%

Impact95%

Exploitability90%

Compliance Risk82%

Impact heatmap

Fraud

L: 92%

I: 98%

ATS

L: 88%

I: 95%

Credential theft

L: 80%

I: 85%

Vendor Intel

Enterprise protection vendors

RASP, attestation and device-trust solutions for banking programs.

Promon SHIELD

Best for banking RASP

Enterprise

Banking: excellent

Pros

+ Deep overlay + root detection
+ Banking reference customers

Limitations

− Enterprise pricing
− Integration effort

Approov

Strong API integrity

Enterprise

Banking: excellent

Pros

+ Runtime attestation
+ Certificate pinning as a service

Limitations

− Less native UI protection

Zimperium

Mobile threat defense

Enterprise

Banking: good

Pros

+ On-device threat intel
+ MDM integration

Limitations

− Complex deployment

Appdome

No-code runtime protection

Mid-market

Banking: good

Pros

+ Fast time-to-market
+ Broad control library

Limitations

− Less granular evidence

Google Play Integrity

Baseline device trust

Platform / Free

Banking: baseline

Pros

+ Platform-native
+ Low integration cost

Limitations

− Not sufficient alone for L3

APK Preview

APK threat intelligence preview

Sample assessment output for Overlay Attacks exposure.

Simulated report

Risk score

/ 100

2 critical findings

Observed risks

✗FLAG_SECURE absent on transfer
✗No overlay detection

Mapped controls

MASVS-RESILIENCEUAE CB FraudPSD2

Upload APK to validate →

Related Intel

Related intelligence

Related threats

Adjacent attack patterns

Runtime Tampering

Combined with trojans.

Explore →

Root Detection

Elevated overlay risk.

Explore →

Device Binding

Limits replay after overlay.

Explore →

Related frameworks

Governance standards

MASVS

Resilience controls.

Explore →

Fraud Controls

Device trust.

Explore →

Related mandates

Country regulators

UAE

Fraud mandates.

Explore →

FAQ

Threat intelligence FAQ

SEO-optimized answers for security and governance teams.

How do overlay attacks work on Android?

Malware requests SYSTEM_ALERT_WINDOW and draws layers over banking UI, intercepting taps on Confirm/Pay buttons.

Does FLAG_SECURE stop overlay attacks?

It blocks screenshots and some capture vectors but must be combined with active overlay detection for comprehensive protection.

What is ATS fraud?

Automated Transfer System fraud uses accessibility and overlays to authorize transfers without user awareness.

Take action

Validate your banking APK against Overlay Attacks

Upload your Android banking app for evidence-backed threat intelligence — no hallucinated findings.

✓Threat exposure score
✓Runtime hardening analysis
✓Banking compliance mapping
✓Fraud readiness score
✓Executive PDF report
✓Remediation guidance

Start Free APK Assessment Book Security Demo