Android, Tapjacking/Overlay Attack, CVE-2026-28577 (High) -DC-Jun2026-146

Listen to this Post

Intro: How CVE-2026-28577 Works

CVE-2026-28577 is a tapjacking vulnerability in the Android operating system that allows a malicious application to perform a local privilege escalation without user interaction. The vulnerability resides in the `addWindow` method of WindowManagerService.java, the system service responsible for managing window creation, layering (z‑ordering), and input event dispatch.
Under normal circumstances, when an app tries to add a new window, the Window Manager validates the request to ensure the window is legitimate, does not interfere with critical system UI, and cannot be abused to capture unintended touch events. In affected versions, however, this validation is insufficient. An attacker can create a specially crafted overlay window that is placed on top of a legitimate application or system dialog. The overlay can be fully transparent or visually mimic the underlying UI.
Because the system fails to properly inspect the layering and security context of the new window, the malicious overlay is granted the ability to receive and intercept all touch events that the user intends for the window below. The user, believing they are interacting with the genuine app, may click on buttons, grant permissions, or enter sensitive data, while their inputs are actually captured by the overlay.
From a security perspective, this scenario constitutes a tapjacking (UI overlay) attack. The technique is classified under MITRE ATT&CK T1056.001 (Input Injection). The consequences extend beyond simple clickjacking: because the malicious window can operate with the same privileges as the targeted window, the attacker can perform actions that would normally require elevated permissions, effectively achieving local escalation of privilege (EoP).
Notably, exploitation requires no user interaction beyond the initial installation of a malicious app, as the overlay can be positioned to automatically capture touch events without the user’s awareness. The vulnerability affects Android versions 14, 15, 16, and 16‑QPR2.

DailyCVE Form

Platform: Android
Version: 14, 15, 16
Vulnerability: Tapjacking/Overlay Attack
Severity: High (CVSS 7.8)
Date: 2026-06-01

Prediction: 2026-06-15

What Undercode Say

Check Android security patch level
adb shell getprop ro.build.version.security_patch
Show installed packages (including potential malicious ones)
adb shell pm list packages
Dump window manager state to detect overlays
adb shell dumpsys window windows | grep -E "Window|mHasSurface|mOwnerUid"
Simulate overlay window creation (educational only)
adb shell am start -n com.android.settings/.Settings \
--activity-clear-task --activity-brought-to-front \
&& adb shell input tap 500 1000

Java snippet illustrating the vulnerable method logic (conceptual):

// Vulnerability: missing overlay validation in addWindow
public int addWindow(WindowManager.LayoutParams attrs, ...) {
// ... existing code ...
if (attrs.type == TYPE_APPLICATION_OVERLAY) {
// Insufficient checks – fails to verify:
// 1. Is the overlay targeting a safe window?
// 2. Does the overlay have proper user consent?
// 3. Is the overlay transparent/tapjacking?
}
// Proceeds to add the window, allowing overlay attacks.
}

Exploit

An attacker leverages CVE-2026-28577 by:

  1. Installing a malicious app on a vulnerable device (Android 14–16).
  2. Using the app to call `WindowManager.addView()` with an overlay window type.
  3. Positioning the overlay above a legitimate app (e.g., banking app, settings).

4. Capturing all touch events without user awareness.

  1. Using intercepted taps to grant permissions, approve transactions, or escalate privileges.
    Because user interaction is not required for exploitation, the malicious overlay can be created immediately upon installation, making it a highly effective local EoP vector.

Protection

  • Apply security updates: Install the June 2026 Android security patch (Samsung and other OEMs have already included fixes in their SMR releases).
  • Google Play Protect: Ensure Play Protect is enabled; it flags apps that use dangerous overlay permissions.
  • Manual checks: Regularly review overlay permission grants under Settings → Apps → Special app access → Display over other apps. Revoke access for untrusted apps.
  • Code‑level mitigation (for developers): Use `filterTouchesWhenObscured` and `setTrustedOverlay` flags to make your UI reject taps when obscured by a malicious overlay.
  • System hardening: Enable hardware‑based secure display modes where available.

Impact

Successful exploitation of CVE-2026-28577 allows a local, unprivileged attacker to:
– Intercept and inject touch events into any foreground application.
– Perform actions with the privileges of the targeted app (e.g., approve payments, change settings, grant runtime permissions).
– Escalate privileges to system level, potentially gaining full control over the device.
The vulnerability carries a CVSS base score of 7.8 (High) with the vector:

`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`.

The primary impact is on confidentiality, integrity, and availability – all rated high, as the attacker can read sensitive data, modify system or app behavior, and disrupt normal operations.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top