An overlay attack is a mobile fraud technique in which malware places a fake screen on top of a legitimate app. The user thinks they are entering a password, one-time code, PIN, or approving a payment in the real app, but the attacker is actually capturing the input through the overlay.
This matters because overlays can bypass many traditional defenses without breaking encryption or exploiting the app itself. On Android, attackers often combine overlays with accessibility abuse, notification interception, or permission tricks to imitate banking or wallet interfaces. In real attacks, an overlay may appear when a financial app opens, during login, or at the moment of transaction approval. Defenders look for unusual overlay permissions, suspicious accessibility services, and apps that request control over the screen. User awareness is also important: unexpected prompts, repeated login screens, or security-related apps installed from outside trusted stores are common warning signs.



