A new type of attack against mobile applications is posing a growing threat to crypto users, according to July 18 statements from Asaf Ashkenazi, CEO of cybersecurity firm Verimatrix.

The new threat is called an “overlay attack.” It works by creating a fake interface on the user’s device. This interface is then used to phish information from the user, including usernames, passwords, and even 2FA codes, Ashkenazi stated. Once this information is obtained, the attacker uses it to submit information in the real interface for a target application.

To carry out an overlay attack, the attacker needs to first convince the user to download an application on their mobile device. Screen overlay exploiters are usually disguised as games or other fun applications. When the user opens the application, it appears to work as intended.

“Whatever game it is, [it] could be even [...] a copy of a popular game and it will do this functionality” Ashkenazi stated. Because the app works as intended, the user generally doesn’t suspect that it is malicious.

In fact, the app “doesn’t have any malicious activity besides one thing, it monitors when [...] the target app is launched.” The target app could be a bank, crypto exchange, crypto wallet, or other sensitive application. Once the target app is launched by the user, the malicious app creates an “exact same copy” of the interface used in the target app.

For example, if the user launches their exchange app, the malicious app creates a fake user interface that looks exactly like the exchange interface, but is in fact controlled by the attacker. Whatever information the user enters into the fake interface is captured by the attacker, and this information is then passed into the real app, giving the attacker access to the account.

Ashkenazi warned that two-factor authentication (2FA) usually cannot protect the user against this kind of attack. If 2FA is enabled, the attacker will simply wait for the user to enter their text message or authenticator app code, which will then be captured just like the other credentials.

Related: Authy 2FA app leaked phone numbers that may be used for text phishing

In many cases, the malicious app will cause the user’s screen to go dark, making them believe that their phone has run out of power or crashed. “Once they [get] into your account, they put the black screen on your phone,” the Verimatrix CEO stated. “So your phone is still running, but you cannot see anything[,] [s]o you think that your phone is dead.” This gives the attackers time to drain the victim's accounts, as they are unlikely to realize they are being attacked until it is too late.

Ashkenazi stated that banking apps are one of the biggest targets of overlay attacks. However, crypto exchanges are also at risk since they rely on the same username/password/2FA paradigm that bank apps use. The CEO claimed he had not seen a non-custodial crypto wallet app targeted by this attack, but that could change in the future. 

Ashkenazi emphasized that overlay attacks are performed on the user’s own device, which contains a wallet’s private key, so requiring a cryptographic signature for each transaction will not necessarily protect the user.

Verimatrix has attempted to work with Google to remove overlay attack apps from the Google Play store. But catching all of them is difficult. Unlike most malicious apps, overlay attack apps do not perform any malicious actions until after the user loads the target app.

For this reason, these apps usually appear to be innocent when they are screened by malware detection programs. “They see a game, they don't see the malicious activity because it doesn't do anything,” Ashkenazi stated.

He recommended that centralized services should use monitoring systems to detect overlay attacks and block them from within the application’s database. This is one of the services Verimatrix provides to clients.

However, he suggested that consumers can take action to protect themselves even if their favorite apps do not use such monitoring services.

First, users should be skeptical of applications that appear too good to be true. “If you see something that gives you games that usually cost money or something that is really good and it's free, [...] you need to suspect it,” he stated. Second, users should not give applications permissions that they don’t need, as overlay attacks can’t be performed without a user giving an app a permission to create an overlay.

Third, parents should consider getting a separate mobile device for their children, as Verimatrix found in its research that many overlay attack apps are downloaded by children without their parents’ knowledge. This is because attackers often disguise their apps as games that appeal to children.

“If you can afford it and you have something that is fun for the kids, don’t mix,” the CEO stated. “Let them do the fun. But then don't access anything important from that device.”

Malware continues to threaten crypto users. On March 29, malware database Vx-underground warned that Call of Duty cheaters were having their Bitcoin stolen by their cheat software. In January, another set of crypto-draining malware targeted users of pirated apps that run on macOS devices.

Magazine: Crypto-Sec: Evolve Bank suffers data breach, Turbo Toad enthusiast loses $3.6K