Tapjacking
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Tapjacking is an attack where a malicious application is launched and positions itself on top of a victim application. Once it visibly obscures the victim app, its user interface is designed in such a way as to trick the user to interact with it, while it is passing the interaction along to the victim app. In effect, it is blinding the user from knowing they are actually performing actions on the victim app.
In order to detect apps vulnerable to this attacked you should search for exported activities in the android manifest (note that an activity with an intent-filter is automatically exported by default). Once you have found the exported activities, check if they require any permission. This is because the malicious application will need that permission also.
filterTouchesWhenObscured
If android:filterTouchesWhenObscured
is set to true
, the View
will not receive touches whenever view's window is obscured by another visible window.
setFilterTouchesWhenObscured
The attribute setFilterTouchesWhenObscured
set to true can also prevent the exploitation of this vulnerability if the Android version is lower.
If set to true
, for example, a button can be automatically disabled if it is obscured:
Follow the README instructions to use it.
It looks like this project is now unmaintained and this functionality isn't properly working anymore
Sometimes it is essential that an application be able to verify that an action is being performed with the full knowledge and consent of the user, such as granting a permission request, making a purchase or clicking on an advertisement. Unfortunately, a malicious application could try to spoof the user into performing these actions, unaware, by concealing the intended purpose of the view. As a remedy, the framework offers a touch filtering mechanism that can be used to improve the security of views that provide access to sensitive functionality.
, tapjacking attacks are automatically prevented by Android from Android 12 (API 31 & 30) and higher. So, even if the application is vulnerable you won't be able to exploit it.
The most recent Android application performing a Tapjacking attack (+ invoking before an exported activity of the attacked application) can be found in: .
An example project implementing FloatingWindowApp, which can be used to put on top of other activities to perform a clickjacking attack, can be found in (a bit old, good luck building the apk).
You can use with the --exploit-apk
--sdk-path /Users/username/Library/Android/sdk
parameters to create a malicious application to test for possible Tapjacking vulnerabilities.\
The mitigation is relatively simple as the developer may choose not to receive touch events when a view is covered by another. Using the :
To enable touch filtering, call or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.