Tapjacking in Android devices can lead to malware download

The functionality of overlaying multiple activities in Android API can be combined with handling of events to trick users into downloading malicious applications without the user's knowledge.

The authorization  « android.permission.SYSTEM_ALERT_WINDOW » existing since the first version of the developer API and affecting even the last version of the application « Google Play Store »  can be used to create alerts which always stays on the top e.g. low battery levels which are used in the systems. Now, this alert window can be not touchable.

This not touchable window can be programmed so that touch events are never transmitted to this window or touch events can be automatically transmitted to underlying activity. So, utilizing the android API functionality a different event window can be placed underneath this not touchable window.

Since the alert window can be utilized to communicate touch events to an underlying window, the attacker can place buttons and images at right locations for the victims to touch it. It would then be relayed to the window beneath which would cause a application to be downloaded without any intent of the user.

Increasingly as the users have become alert towards downloading apps which ask for control to contacts, texts or images, the challenge to the attackers lie in tricking the users to  download without even showing the app terms and policies. 

So,this "tapjacking" can be applied by attackers to lead users to download malicious apps. It can be conducted in games or any other kinds of applications. Though a theoretical security issue till now, technically, this method can be exploited to infect all kinds of Android devices, irrespective of the version. It has been tested on Nexus 4 under Android 4.3,Android 4.4 and Nexus 5 under Android 4.4 by NES security lab and a notification has been sent to the Android security team for its resolution.