Home > CAPEC List > CAPEC-506: Tapjacking (Version 2.11)  

CAPEC-506: Tapjacking

Definition in a New Window Definition in a New Window
Attack Pattern ID: 506
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces him/her to tap in an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.

+ Attack Prerequisites
  • This pattern of attack requires the ability to execute a malicious application on the user's device. This malicious application is used to present the interface to the user and make the attack possible.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Low

+ References
[REF-57] Marcus Niemietz and Jorg Schwenk. "UI Redressing Attacks on Android Devices". 4. New Browserless Attacks. Horst Gortz Institute for IT-Security. 2012. <https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf>.
[REF-81] David Richardson. "Look-10-007 - Tapjacking". Lookout Mobile Security. 2010. <https://blog.lookout.com/look-10-007-tapjacking/>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Description SummaryInternal
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Related_WeaknessesInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017