How overlay attacks work
An overlay attack exploits Android's ability for one app to draw on top of another. The malware monitors which app the user opens. When it detects a targeted financial app—your mobile money platform—it immediately draws a pixel-perfect fake login screen on top of the real one. The user sees what looks like a normal login. Every credential they enter goes directly to the attacker's command-and-control server.
The attack chain is typically: the user installs a seemingly harmless app (a flashlight, file manager, or "system update"), that app requests the SYSTEM_ALERT_WINDOW permission (or abuses the Accessibility Service), and then it waits. When the target app launches, the overlay fires.
The accessibility service vector
Android's Accessibility Service was designed to help users with disabilities interact with their devices. But it gives an app extraordinary power: reading screen content, intercepting input events, performing actions on behalf of the user, and drawing overlays. Modern banking trojans abuse this service extensively.
Once a malicious app gains Accessibility Service permission, it can: read every character typed into any app (keylogging), capture screenshots, perform actions like confirming transfers (auto-clicking "Confirm" buttons), intercept OTP notifications, and draw overlays without the SYSTEM_ALERT_WINDOW permission. It is the single most dangerous permission on Android for financial app users.
Malware targeting African mobile money
Several banking trojan families have been observed targeting West African financial apps:
Anubis
Originally targeting European banks, Anubis has expanded its target list to include African mobile money apps. It uses overlay attacks, keylogging, and SMS interception. Distributed through fake apps on Google Play and third-party APK stores popular in Nigeria.
Cerberus / Alien
Cerberus and its successor Alien use Accessibility Service abuse for overlay injection and automated transfers. Their source code was leaked in 2020, spawning numerous variants—some with specific targeting templates for Nigerian and Kenyan fintech apps.
Hook
A newer trojan derived from Ermac, Hook includes VNC-like remote access capabilities. Attackers can watch the victim's screen in real-time and perform account takeover by remotely controlling the device while the victim sleeps. It has been observed targeting apps in the African fintech sector.
Why Nigeria is increasingly targeted
Nigeria's mobile money and digital banking adoption has exploded. As transaction volumes grow, so does attacker interest. The prevalence of sideloaded APKs (from third-party stores and WhatsApp shares), lower Android security patch levels on affordable devices, and growing transaction values make Nigerian mobile money platforms attractive targets. Read more in our analysis of why Nigerian fintechs are targeted.
How your app can defend itself
1. Detect and block overlays
Android provides the filterTouchesWhenObscured attribute for views. Setting this to true on sensitive input fields (PIN entry, password fields, transfer confirmation buttons) causes the view to reject touch events when another window is covering it. This is your first line of defence.
Additionally, use onFilterTouchEventForSecurity(MotionEvent event) to programmatically check the FLAG_WINDOW_IS_OBSCURED flag on touch events. If the flag is set, the touch came through an overlay—block it and alert the user.
2. Detect Accessibility Service abuse
Your app can query AccessibilityManager.getEnabledAccessibilityServiceList() to check which accessibility services are active. If an unknown or suspicious service is running, warn the user or restrict sensitive operations. Be careful to avoid blocking legitimate accessibility tools—focus on services from unrecognised packages.
3. Implement device integrity checks
Use Google's Play Integrity API (successor to SafetyNet) to verify device integrity. This detects rooted devices, compromised system partitions, and apps running in emulators—all indicators of a potentially hostile environment. Integrate these checks before allowing high-value transactions.
4. Secure the authentication flow
Move beyond simple PIN entry. Implement biometric authentication backed by Android Keystore, which cannot be intercepted by overlays or keyloggers because the biometric match happens in hardware. Use device binding to tie sessions to specific devices, and implement session management that detects suspicious concurrent access.
Is your mobile money app resilient against overlay attacks and banking trojans? Our mobile pentest simulates these exact attack scenarios.
Test Your App's Malware Resilience5. Runtime application self-protection
For high-value financial apps, consider commercial RASP solutions like Guardsquare DexGuard, Appdome, or Promon SHIELD. These tools provide runtime detection of hooking frameworks (Frida, Xposed), overlay attacks, screen recording, debugger attachment, and code tampering—without requiring changes to your core application logic.
Educating your users
Technical defences are essential, but user education reduces the attack surface. Warn users about: granting Accessibility Service permissions to unfamiliar apps, installing APKs from WhatsApp or third-party sources, "system update" prompts that are actually malware, and any app that asks for permissions unrelated to its stated function.
Include an in-app security centre that explains these risks in simple terms. Nigerian users are increasingly security-aware—give them the information to protect themselves. Combine this with server-side fraud detection to catch compromised accounts even when the device is fully controlled by malware.
Related reading
Blog: Why Nigerian Fintechs Are Targeted · Secure Session Management · Social Engineering in Fintech
Guides: Mobile App Pentest Nigeria · Fintech Security Checklist
Services: Penetration Testing · Authentication Security · Vulnerability Assessment
Frequently asked questions
{faq.q}
{faq.a}