CVE CyberSecurity Database News

CVE-2024-43765 - Tapjacking Vulnerability Enables Folder Access & Privilege Escalation on Android

Poster -

---

In June 2024, a new security vulnerability, tracked as CVE-2024-43765, was disclosed that affects Android devices. This bug allows a malicious app to bypass permissions and gain unauthorized access to protected folders on your phone or tablet. The attack relies on a tapjacking technique—using overlays to trick users into granting more access than they realize. Here’s a breakdown of what this means, how it works, and how you can protect yourself.

What Is Tapjacking? (Quick Refresher)

Tapjacking is an attack where an app displays a fake screen ("overlay") on top of a legitimate one. The user thinks they’re tapping a harmless button, but they’re really tapping something hidden underneath — like an "Allow" or "Open Folder" button. This lets the attacker sneak privileges without the user’s knowledge.

Overlays can be exploited in several ways, but CVE-2024-43765 specifically enables mischievous apps to gain folder access, potentially leading to local escalation of privilege—meaning a harmful app could act with more permissions than it should have.

How Does CVE-2024-43765 Work?

In vulnerable Android versions, certain protected folders are only supposed to be accessed with direct user consent. But, if an attacker can get you to tap the right spot on an invisible or disguised overlay, they can sidestep that protection.

App quietly requests "draw over other apps" permission —sometimes via a fake reason.

3. App detects when you’re about to approve folder access for a legitimate need (like uploading a file).
4. At the same moment, the attacker displays an overlay making you click APPROVE or choose a file, while actually interacting with the folder access dialog hidden behind it.

Sample Exploit Code

Below is a simplified example of how an attacker might use TYPE_APPLICATION_OVERLAY to launch an overlay at the critical moment:

// Requires SYSTEM_ALERT_WINDOW permission
WindowManager wm = (WindowManager) getSystemService(WINDOW_SERVICE);
WindowManager.LayoutParams params = new WindowManager.LayoutParams(
    WindowManager.LayoutParams.MATCH_PARENT,
    WindowManager.LayoutParams.MATCH_PARENT,
    WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY,
    WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE |
    WindowManager.LayoutParams.FLAG_NOT_TOUCH_MODAL,
    PixelFormat.TRANSLUCENT
);

View overlayView = new View(context);
// Set overlayView alpha, color, or fake button as needed
overlayView.setAlpha(f); // Invisible overlay, but still can receive touch events!

wm.addView(overlayView, params);

// On specific event (e.g., when folder chooser dialog is up), time the overlay

*Note: Exploit may require fine-tuned timing, touch event calculations, and exploitation of specific system dialogs.*

### Proof of Concept (PoC) Video/Guides

- Maddie Stone: Android Tapjacking (YouTube) – General overview of Android tapjacking approaches.
- Tapjacking with Overlays – PortSwigger Research

> Actual public PoCs for CVE-2024-43765 may not yet be released, but the above demonstrate the core method.

Impact

- Escalation of Privilege: Malicious app gains access to folders or files outside its normal sandbox.

Local Attack: Exploit requires installing a bad app and interacting with it.

- Potential Data Theft: Private photos, downloads, or other information may be accessed or uploaded.
- User Interaction: No silent/remote exploit possible; the attack always needs you to perform a tap or swipe.

Mitigation

- Android Patch: Check for security updates. Google has patched this issue in Android Security Bulletin June 2024 (Android Bulletin Reference).
- Disable 'Draw over other apps': Only grant this permission to trusted apps such as Facebook Messenger or screen filter utilities.
- Be Skeptical: If an app asks you to "enable overlays" or to do odd things while showing pop-ups, uninstall it.

References

- Official NVD Entry for CVE-2024-43765
- Android Security Bulletin – June 2024
- Google’s documentation on Overlay attacks

Conclusion

CVE-2024-43765 makes clear that overlays—though useful—can become a trapdoor for attackers. Until patches have been rolled out and you’ve updated, keep a close eye on overlay permissions and don’t blindly tap pop-ups. The vulnerability is only exploitable with user help, so a little caution goes a long way. Stay vigilant, and as always, update your device whenever possible!


*If you’re researching this CVE for your organization or app, make sure to add protections against overlays using filterTouchesWhenObscured or checking onFilterTouchEventForSecurity in your Android code.*

Timeline

Published on: 01/21/2025 23:15:13 UTC
Last modified on: 03/18/2025 14:15:39 UTC