Harmless Android malware using the overlay technique to steal user credentials.

UPDATE starting with Android 5.1 the ActivityManager.getRunningAppProcess API don't return all processes running on the system anymore. We moved to a more naive solution which doesn't require any permissions, for more information press here.

This software is intended to sensitize users to this kind of attacks. Don't use it for any other purposes!

In the main screen you can select which application are going to be overlayed (currently between Linkedin, Skype, and UBS Mobile App). Furthermore you can choose the type of overlay between:

• View overlay with WindowsManager.addView
• Activity overlay with startActivity

The application has been tested on Nexus 5 with Android 6 (Real device) and Nexus 5X with Android 4.4.2 (Emulator).

For more background information about overlays please check our last blog post.