Tapjacking Protection

Tapjacking is a security issue that occurs when the app screen is completely or partially obscured by an overlay window. The user can be tricked into thinking that they are interacting with the overlay. However, their input (a tap) can instead perform actions in the underlying app.

Malwarelytics for Android tries to prevent tapjacking. This is done by preventing click events when a part of the app screen is obscured by an overlay and at least one app that can create such overlays is deemed “problematic”.

Tapjacking protection sensitivity is configurable in the SDK.


Identifying Tapjacking Culprit

Android APIs prevent an app from determining specifically which other app is creating an overlay; it is only possible to obtain a list of apps that are capable of doing so.

Protecting Dialogs

Tapjacking protection doesn’t work on dialogs because the contents of a dialog receive taps through an overlay regardless of the way the dialog is created.


This feature can be configured during the Malwarelytics initialization phase:

val raspConfig = RaspConfig.Builder()
    // configuration of other RASP features
Method Description
blockTapjacking(Boolean) indicates whether tapjacking should be blocked. Defaults to true. However, tapjacking is not blocked unless a “problematic” app is installed on the device. An app is deemed “problematic” when it meets sensitivity criteria defined by blockTapjackingSensitivity.
ignoreTapjackingSystemApps(Boolean) indicates whether tapjacking protection should ignore system apps in the checks. Defaults to false. If set to true all system apps will be ignored and tapjacking will get blocked only if a non-system “problematic” app is present.
blockTapjackingSensitivity(ThreatIndex) defines tapjacking protection sensitivity. Defaults to ThreatIndex.HIGHLY_DANGEROUS.


After initialization, the tapjacking protection feature can be accessed via RaspManager. This can be used to register an observer or to trigger a manual tapjacking detection check.

Registering an Observer

Tapjacking detection can trigger a certain action. To achieve that, an observer needs to be configured and registered.

Observer configuration:

val raspObserver = object : RaspObserver {
    override fun onTapjackingDetected(tapjackingDetection: TapjackingDetection) {
        // handle tapjacking detection
    // handle detection of other RASP features

The observer can be registered in RaspManager. When it is no longer needed, it can be unregistered again.


Triggering a Manual Check

Tapjacking detection check can be triggered manually in RaspManager. Two methods are available. isBadTapjackingCapableAppPresent() indicates whether any apps deemed “problematic” are installed on the device. getTapjackingDetection() provides more details about tapjacking protection configuration. The returned data depend on the configuration - both on the sensitivity and on ignoring system apps.

val isBadTapjackingCapableAppPresent = raspManager.isBadTapjackingCapableAppPresent()
val tapjackingDetection = raspManager.getTapjackingDetection()

Troubleshooting for Users

The SDK tries to simplify a potential troubleshooting process as much as possible. The app developer is provided with a list of “problematic” apps triggering the protection. Furthermore, the SDK offers a utility method that opens the system settings responsible for granting/removing the system overlay permission for installed apps:


The device user can then adjust the settings to make the app respond to clicks again.

More information on general RASP feature configuration and usage can be found in this overview.

Last updated on Jun 07, 2022 (20:56) View product


Malwarelytics for Android