Listen to this Post
Intro: How CVE-2026-28577 Works
CVE-2026-28577 is a tapjacking vulnerability in the Android operating system that allows a malicious application to perform a local privilege escalation without user interaction. The vulnerability resides in the `addWindow` method of WindowManagerService.java, the system service responsible for managing window creation, layering (z‑ordering), and input event dispatch.
Under normal circumstances, when an app tries to add a new window, the Window Manager validates the request to ensure the window is legitimate, does not interfere with critical system UI, and cannot be abused to capture unintended touch events. In affected versions, however, this validation is insufficient. An attacker can create a specially crafted overlay window that is placed on top of a legitimate application or system dialog. The overlay can be fully transparent or visually mimic the underlying UI.
Because the system fails to properly inspect the layering and security context of the new window, the malicious overlay is granted the ability to receive and intercept all touch events that the user intends for the window below. The user, believing they are interacting with the genuine app, may click on buttons, grant permissions, or enter sensitive data, while their inputs are actually captured by the overlay.
From a security perspective, this scenario constitutes a tapjacking (UI overlay) attack. The technique is classified under MITRE ATT&CK T1056.001 (Input Injection). The consequences extend beyond simple clickjacking: because the malicious window can operate with the same privileges as the targeted window, the attacker can perform actions that would normally require elevated permissions, effectively achieving local escalation of privilege (EoP).
Notably, exploitation requires no user interaction beyond the initial installation of a malicious app, as the overlay can be positioned to automatically capture touch events without the user’s awareness. The vulnerability affects Android versions 14, 15, 16, and 16‑QPR2.
DailyCVE Form
Platform: Android
Version: 14, 15, 16
Vulnerability: Tapjacking/Overlay Attack
Severity: High (CVSS 7.8)
Date: 2026-06-01
Prediction: 2026-06-15
What Undercode Say
Check Android security patch level adb shell getprop ro.build.version.security_patch Show installed packages (including potential malicious ones) adb shell pm list packages Dump window manager state to detect overlays adb shell dumpsys window windows | grep -E "Window|mHasSurface|mOwnerUid" Simulate overlay window creation (educational only) adb shell am start -n com.android.settings/.Settings \ --activity-clear-task --activity-brought-to-front \ && adb shell input tap 500 1000
Java snippet illustrating the vulnerable method logic (conceptual):
// Vulnerability: missing overlay validation in addWindow
public int addWindow(WindowManager.LayoutParams attrs, ...) {
// ... existing code ...
if (attrs.type == TYPE_APPLICATION_OVERLAY) {
// Insufficient checks – fails to verify:
// 1. Is the overlay targeting a safe window?
// 2. Does the overlay have proper user consent?
// 3. Is the overlay transparent/tapjacking?
}
// Proceeds to add the window, allowing overlay attacks.
}
Exploit
An attacker leverages CVE-2026-28577 by:
- Installing a malicious app on a vulnerable device (Android 14–16).
- Using the app to call `WindowManager.addView()` with an overlay window type.
- Positioning the overlay above a legitimate app (e.g., banking app, settings).
4. Capturing all touch events without user awareness.
- Using intercepted taps to grant permissions, approve transactions, or escalate privileges.
Because user interaction is not required for exploitation, the malicious overlay can be created immediately upon installation, making it a highly effective local EoP vector.
Protection
- Apply security updates: Install the June 2026 Android security patch (Samsung and other OEMs have already included fixes in their SMR releases).
- Google Play Protect: Ensure Play Protect is enabled; it flags apps that use dangerous overlay permissions.
- Manual checks: Regularly review overlay permission grants under
Settings → Apps → Special app access → Display over other apps. Revoke access for untrusted apps. - Code‑level mitigation (for developers): Use `filterTouchesWhenObscured` and `setTrustedOverlay` flags to make your UI reject taps when obscured by a malicious overlay.
- System hardening: Enable hardware‑based secure display modes where available.
Impact
Successful exploitation of CVE-2026-28577 allows a local, unprivileged attacker to:
– Intercept and inject touch events into any foreground application.
– Perform actions with the privileges of the targeted app (e.g., approve payments, change settings, grant runtime permissions).
– Escalate privileges to system level, potentially gaining full control over the device.
The vulnerability carries a CVSS base score of 7.8 (High) with the vector:
`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`.
The primary impact is on confidentiality, integrity, and availability – all rated high, as the attacker can read sensitive data, modify system or app behavior, and disrupt normal operations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

