tapjacking, android

After many attempts, we have finally gotten it into our heads that it is essential that we read the small print before we install any application on our devices. If it mentions anything that strays far from what the app is about (for example, a flashlight that tries to use your GPS) it’s best to ignore it unless you are completely confident in the product.

Just because an application requires a lot of permission to be installed doesn’t mean that there is anything to be concerned about but it should still serve as a caution. Luckily, the majority of people are aware of this and look at the small print in detail, leaving cyber attackers to look for other ways to trap their victims.

One of their more dangerous techniques is known as tapjacking – a weakness in the Android operating system that allows for malicious activity to be hidden under the guise of a regular app. This technique lets malware, which could potentially steal credit card details, disguise itself as an inoffensive videogame application.

danger, mobile, android

In February of this year Google released its Android Security Acknowledgements and included on this list were two investigators – Stephan Huber and Siegfried Rasthofer. They were thanked for their help in detecting the possible security breach and for helping the company to uncover how these attacks were being carried out.

How tapjacking Works

It works in a surprisingly simple way – you download an application and open it, which triggers the installation of a second, this time malicious, application. Then, when you press a button on the seemingly innocent application, you are actually clicking a button on the malicious application that is hidden within it. So, as its name suggests, the trap is in the tap.

So, imagine this scenario. You have downloaded an application and on the main screen there is a button that says “Start Game”. You click it to begin but, unbeknownst to you, this has triggered the downloading of the dangerous malware. On the next screen you continue clicking away, oblivious to the dangers, and without realizing you have accepted the terms and conditions of the dangerous malware that has hidden itself on your cellphone.

In the video below we have a clear example of how this form of attack works – the user clicks on “Start Now” to begin downloading images of adorable kittens and, without realizing, grants permission to the attacker to take screenshots on the device.


How the attack works is a lot easier than it might seem. This is due to the type of pop-up notifications that were developed by the programmers of Android applications. There were developed to give alerts to users – such as the one that appears if the battery is running low – but if they appear in full screen and with a button that doesn’t react to your clicks, then they are in fact a dangerous tool used by cybercriminals.

Apart from installing the malware and tricking you into accepting the terms of installation, the attacker can use tapjacking to steal your passwords or to even carry out actions using your bank details.

They key to protecting yourself from this attack is, yet again, in the permission stage. Even though these dangerous applications don’t request a lot of information before being installed, there is one thing which they all have in common – they will ask for permission to show system alert windows, something which isn’t common in other types of applications. If this happens to you, be wary. Check out reviews and opinions from other users on Google Play and ask yourself whether you trust in the application’s creator.

A good antivirus could also come to your rescue in this situation. Just because you can’t see the danger doesn’t mean it’s not there. Fortunately, our security tools are there to shine the light on it.