Spoofing User's Activity Loads in WARP Mobile Client (Android)

Vulnerability

The Cloudflare WARP Mobile Client for Android, in all versions prior to 6.29, is vulnerable to a tapjacking attack due to a misconfiguration that allows malicious overlays. If an attacker can install a crafted application on the victim’s device, the malicious app can draw on top of the WARP client’s UI, making the user believe they are interacting with the legitimate WARP interface. The affected product is the Android version of the Cloudflare WARP client, as described in [1] and [2].

Exploitation

To exploit this vulnerability, an attacker must first have the ability to install an Android application on the victim’s device, either through social engineering, sideloading, or another compromise. No additional permissions on the WARP client are required; the attack relies solely on the misconfiguration that permits overlays. The attacker’s app then renders a deceptive UI on top of the WARP client’s interface, and when the user taps on what they believe to be WARP’s buttons or prompts, the tap event is captured by the attacker’s malicious overlay, enabling actions such as granting permissions or initiating fund transfers without the user’s informed consent [2].

Impact

Successful exploitation allows the attacker to trick the user into performing actions that are actually controlled by the malicious app. This can lead to unintended disclosure of sensitive information, unauthorized transactions, or granting of dangerous Android permissions, without the user’s awareness, compromising both confidentiality and integrity of the user’s data and device [2].

Mitigation

The vulnerability is fixed in the WARP Mobile Client version 6.29 for Android, released on or before the advisory publication date. Users should update to version 6.29 or later via the Google Play Store or other official distribution channels. No workaround is documented; users of versions prior to 6.29 must apply the update to eliminate the tapjacking risk [2].