Subscribe to the Non-Human & AI Identity Journal
Home Glossary Overlay Malware

Overlay Malware

← Back to Glossary
By NHI Mgmt Group Updated July 10, 2026

Overlay malware is malicious code that sits on top of a legitimate mobile app to capture input or alter user interaction. It can steal credentials, manipulate forms, or intercept actions without necessarily modifying the app binary, which makes it hard for build-time controls to detect.

Expanded Definition

Overlay malware is a mobile threat technique that places a deceptive interface layer above a legitimate app to observe taps, capture credentials, or alter transactions. Unlike app repackaging, which changes the binary, overlay attacks exploit the user session and screen rendering path, so they can evade controls that only inspect code signing, store listings, or build artefacts. The term is often used in Android security discussions, where accessibility abuse, screen overlays, and fraud tooling converge, but definitions vary across vendors because some classify it as a UI redress attack while others treat it as a credential theft method.

For defenders, the key distinction is intent and placement: the malicious layer is designed to look native enough that the user continues interacting with the real app while the attacker observes or redirects the interaction. Standards bodies do not define overlay malware as a standalone control category, so practitioners usually map the risk to mobile app hardening, anti-fraud telemetry, and device trust. The most common misapplication is assuming that a clean application package means the app session is trustworthy, which occurs when teams rely on binary inspection without checking runtime interaction abuse.

Examples and Use Cases

Implementing defences against overlay malware rigorously often introduces usability and compatibility constraints, requiring organisations to weigh friction reduction against stronger runtime protection.

  • A banking app prompts the user to approve a payment, while a malicious overlay swaps the beneficiary details just before confirmation.
  • A fake login layer captures credentials entered into a legitimate social or enterprise app, then forwards them to the attacker.
  • A malware family abuses accessibility permissions to detect when a target app opens, then draws its own prompt over the real interface.
  • Incident responders compare suspicious interaction patterns with techniques seen in the Shai Hulud npm malware campaign and the CircleCI Breach to understand how attackers chain user deception with secret theft.
  • Mobile security teams test for overlay suppression, suspicious window focus changes, and screen-capture abuse using guidance aligned to CIS Controls v8.

In practice, overlay malware is most relevant in high-value consumer, fintech, and enterprise BYOD environments where a stolen session can be monetised immediately. It also matters when mobile apps front-end sensitive workflows such as payroll, approvals, or password resets, because a single manipulated tap can change downstream authorisation decisions.

Why It Matters for Security Teams

Overlay malware matters because it breaks the assumption that the visible app surface is the trusted one. That failure can lead to credential theft, fraudulent approvals, and invisible manipulation of business transactions, even when endpoint tooling reports the app as installed from a legitimate source. Mobile threat monitoring therefore has to move beyond static trust checks and consider runtime behaviour, permission abuse, and user interaction anomalies.

For identity-heavy workflows, overlay attacks are especially dangerous because they can capture primary credentials, MFA prompts, or recovery actions and then pivot into account takeover. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, and that lack of visibility mirrors the broader problem here: teams often see the app package, not the abuse path. A mobile control strategy should therefore combine device posture, session risk scoring, and phishing-resistant authentication where possible. Organisations typically encounter the operational impact only after fraud, account takeover, or failed transaction disputes surface, at which point overlay malware becomes unavoidable to investigate and contain.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AA-01Identity and access assurance helps reduce credential theft enabled by overlay abuse.
NIST SP 800-63AAL2Phishing-resistant assurance is relevant when overlays capture login or MFA input.
OWASP Agentic AI Top 10User-interface deception is adjacent to broader runtime abuse patterns affecting trusted interactions.
OWASP Non-Human Identity Top 10Overlay-driven theft can capture secrets used by non-human identities in mobile-managed workflows.
NIST AI RMFRisk governance is useful where AI-assisted fraud detection must account for mobile deception.

Harden authentication flows and validate session risk before approving sensitive mobile actions.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org