Why aren't these UI "hacks" more often exploited?

Question

What I'm talking about:



  • Facebook publishes a standalone app called Messenger on the Play Store. It's a chat app, for interactions with other Facebook users. It implements something called "chat heads" which are these round bubbles that sit on top of everything else in the Android UI (except the status bar) that allow for opening an Always On Top chat UI.



  • Facebook also publish their namesake app, which implemented intrusive notifications for itself, that appear at the top of the screen and contain their relevant content.


    They render on top of the system status bar preventing access to it when the app isn't active




These are benign examples but they intrude on userland and feel malicious in the way they manifest themselves -- appearing without warning.


Facebook gave its apps hidden ways to disable these things.


What surprises me is that there are not more apps that exploit these UI security "holes".


If I were in the business of infecting people's phones, I would take advantage of this and make the most infuriatingly annoying malware because it's as if one program is given control of the entire interface with no escape.


Imagine the things a malicious bit of code could do if it literally prevented the user from doing anything about it. They can't use the interface, so they can't kill the app, they can't turn off the phone and on many phones you can't remove the battery, etc.


Is there an obvious reason why this sort of thing isn't more exploited? I can't find much about it.


cat | Sources

Answer

That chat bubble is there because you granted Messenger the permission "draw over other apps". In simple terms, call it overlay. The qualified name of the permission is android.permission.SYSTEM_ALERT_WINDOW.




Allows an app to create windows using the type TYPE_SYSTEM_ALERT, shown on top of all other apps. Very few apps should use this permission; these windows are intended for system-level interaction with the user.




(Emphasis mine)



I don't think chat bubbles of Messenger, in any capacity, are meant for system-level interaction with its user, so you can assume that developers of that app and any such app chose to abuse the system's feature for their own interests.



Furthermore, you definitely are not the first person who thought about exploitation of the overlay feature of Android.



ArsTechnica: New Android ransomware locks out victims by changing lock screen PIN




Dubbed Android/Lockerpin.A, the app ... overlays a bogus patch installation window on top of an activation notice. When targets click on the continue button, they really grant the malicious app elevated rights that allow it to make changes to the Android settings. From there, Lockerpin sets or resets the PIN that unlocks the screen lock, effectively requiring users to perform a factory reset to regain control over the device.



...



Once the continue button is pressed, the app will acquire administrator rights [becomes a Device Administrator]. From there it will change the PIN and periodically continue to overlay a fake window in an attempt to hold on to the elevated privileges. It's the first known Android lock-screen ransomware to set a phone's PIN lock. Because it requires non-paying victims to factory reset their phones, it causes them to lose all of their data.




(Emphasis mine)



Just so you know, Android understands the potential damage overlay can cause to a device, hence, when an overlay is actively drawn on screen and user attempts to sideload an app, the install button simply fails to work. See Why can't I press the Install button when installing applications from unknown sources?



If only Android extends this feature to activation/deactivation of device administrators, that would be very nice of them.



In case, you want to know which other app has the same permission, you can use my answer on Determine which app is drawing on top of other apps?





The notifications you mentioned, intrusive they may be, are called Heads-up notifications. Until Android 5.1, users didn't have an official way to get rid of them without losing all notifications from an app.



Android Design: Heads-up Notification




When a high-priority notification arrives ..., it is presented to users for a short period of time with an expanded layout exposing possible actions.



After this period of time, the notification retreats to the notification shade. If a notification's priority is flagged as High, Max, or full-screen, it gets a heads-up notification.




(Emphasis mine)



As you may have guessed, Heads-up notifications are not the default type of notification a system should be displaying to a user and a developer have to explicitly opt for it in the app's code. It's just that some developers opine that the things their app do are of the ultimate priority in the life of the user, let alone the system, so they often choose to show every notification as a Heads-up notification.



That said, heads-up notifications were introduced only in Lollipop while your device runs Android KitKat, so definitely, as Andrew T. put it in comments, it must be Facebook's native code which is both creating and displaying those pseudo-Lollipop notifications at the top and above a window.



The reason you can't interact with system bar when that pseudo-Lollipop notification is active, is most likely the use of blocking overlays to display a view which is perceived as a notification by the user. Aaron's answer has explained it with a good working example app.



I searched web between the range Oct 2013 to Oct 2014 (the developmental age of Android 4.4.x) and came to know that there were apps available in Play Store primarily meant to create those pseudo-Lollipop notifications. One such app is Floatifications and the other one I found was Metro Notifications Free. Both uses the same blocking overlay to create those pseudo-Lollipop notifications.



I'm surprised you didn't find toasts pesky enough.


Firelord | Sources

Q & A

Apps use mobile data when mobile data is off
How to insert 2 sim cards on ulefone armor 9
Why is the FrameBuffer missing on some Android devices?
Motorola Z Play having unusable screen
How do I close all, or many at once, Chrome tabs on Android on a phone?
Is there a workaround to use of bash via adb on LineageOS17?
Why is Copy+Paste of text a once only operation - I have to keep Copying for the next paste
"no valid slot to boot" on locked bootloader
How does Samsung's Voice Recorder's Speech-to-text function store the text and sync it with the audio?
Which allowBackup attribute is useful to understand if an app can be backup?
Turn off PIP for calls
SP Flash Tool | Error. Status_preloader_invalid
Can I know location of a phone if it doesn't have AGPS?
Magisk manager doesn't show any modules
Contacts doesn't show up under account sync
Can't remove bloatware after rooted
Sideload non-'Android TV' app to show on the home screen
Updating Pixel after many months. Will I get all the missing monthly security patches?
Limiting Display Frame Rate to Lower
Understand new icon in Android 11 call logs

Topics

2D Engines   3D Engines   9-Patch   Action Bars   Activities   ADB   Advertisements   Analytics   Animations   ANR   AOP   API   APK   APT   Architecture   Audio   Autocomplete   Background Processing   Backward Compatibility   Badges   Bar Codes   Benchmarking   Bitmaps   Bluetooth   Blur Effects   Bread Crumbs   BRMS   Browser Extensions   Build Systems   Bundles   Buttons   Caching   Camera   Canvas   Cards   Carousels   Changelog   Checkboxes   Cloud Storages   Color Analysis   Color Pickers   Colors   Comet/Push   Compass Sensors   Conferences   Content Providers   Continuous Integration   Crash Reports   Credit Cards   Credits   CSV   Curl/Flip   Data Binding   Data Generators   Data Structures   Database   Database Browsers   Date &   Debugging   Decompilers   Deep Links   Dependency Injections   Design   Design Patterns   Dex   Dialogs   Distributed Computing   Distribution Platforms   Download Managers   Drawables   Emoji   Emulators   EPUB   Equalizers &   Event Buses   Exception Handling   Face Recognition   Feedback &   File System   File/Directory   Fingerprint   Floating Action   Fonts   Forms   Fragments   FRP   FSM   Functional Programming   Gamepads   Games   Geocaching   Gestures   GIF   Glow Pad   Gradle Plugins   Graphics   Grid Views   Highlighting   HTML   HTTP Mocking   Icons   IDE   IDE Plugins   Image Croppers   Image Loaders   Image Pickers   Image Processing   Image Views   Instrumentation   Intents   Job Schedulers   JSON   Keyboard   Kotlin   Layouts   Library Demos   List View   List Views   Localization   Location   Lock Patterns   Logcat   Logging   Mails   Maps   Markdown   Mathematics   Maven Plugins   MBaaS   Media   Menus   Messaging   MIME   Mobile Web   Native Image   Navigation   NDK   Networking   NFC   NoSQL   Number Pickers   OAuth   Object Mocking   OCR Engines   OpenGL   ORM   Other Pickers   Parallax List   Parcelables   Particle Systems   Password Inputs   PDF   Permissions   Physics Engines   Platforms   Plugin Frameworks   Preferences   Progress Indicators   ProGuard   Properties   Protocol Buffer   Pull To   Purchases   Push/Pull   QR Codes   Quick Return   Radio Buttons   Range Bars   Ratings   Recycler Views   Resources   REST   Ripple Effects   RSS   Screenshots   Scripting   Scroll Views   SDK   Search Inputs   Security   Sensors   Services   Showcase Views   Signatures   Sliding Panels   Snackbars   SOAP   Social Networks   Spannable   Spinners   Splash Screens   SSH   Static Analysis   Status Bars   Styling   SVG   System   Tags   Task Managers   TDD &   Template Engines   Testing   Testing Tools   Text Formatting   Text Views   Text Watchers   Text-to   Toasts   Toolkits For   Tools   Tooltips   Trainings   TV   Twitter   Updaters   USB   User Stories   Utils   Validation   Video   View Adapters   View Pagers   Views   Watch Face   Wearable Data   Wearables   Weather   Web Tools   Web Views   WebRTC   WebSockets   Wheel Widgets   Wi-Fi   Widgets   Windows   Wizards   XML   XMPP   YAML   ZIP Codes