A novel tapjacking technique now exploits user interface animations to bypass Android’s permission system, thereby gaining access to sensitive data or tricking users into performing destructive actions—such as wiping the device.
In contrast to traditional, overlay-based tapjacking, TapTrap attacks operate even with zero-permission apps. These attacks launch a harmless transparent activity on top of a malicious one, a behavior that, notably, Android 15 and 16 still fail to mitigate.
A team of security researchers at TU Wien and the University of Bayreuth—Philipp Beer, Marco Squarcina, Sebastian Roth, and Martina Lindorfer—developed TapTrap and plan to present it next month at the USENIX Security Symposium.
Nevertheless, the team has already released a technical paper detailing the attack, along with a website that summarizes most of its key findings.
How TapTrap works
TapTrap exploits the way Android handles activity transitions with custom animations, creating a visual mismatch between what the user sees and what the device actually registers.
Once a malicious app installs on the target device, it launches a sensitive system screen—such as a permission prompt or system setting—from another app using startActivity() combined with a custom low-opacity animation.
According to the researchers on the website explaining the attack, “The key to TapTrap is using an animation that renders the target activity nearly invisible.”
To achieve this, the attacker can define a custom animation where both the starting and ending opacity (alpha) are set to a very low value, such as 0.01, which makes the malicious or risky activity almost completely transparent.
Additionally, applying a scale animation can zoom into a specific UI element (e.g., a permission button), causing it to occupy the full screen and thereby increasing the chance the user will tap it.
TapTrap overview
Source: taptrap.click
Even though the launched prompt receives all touch events, the user only sees the underlying app that displays its own UI elements. This happens because the transparent screen, layered on top, is the one actually registering user input.
As a result, users may believe they are interacting with the benign app and end up tapping on screen positions that trigger risky actions, such as “Allow” or “Authorize” buttons on nearly invisible prompts.
To demonstrate the risk, the researchers released a video showing how a game app could exploit TapTrap to grant camera access to a website via the Chrome browser.
Risk exposure
To evaluate whether TapTrap could work with apps from the Play Store—the official Android repository—the researchers analyzed nearly 100,000 applications. As a result, they found that 76% of them remain vulnerable to TapTrap because they include a screen (“activity”) that meets the following criteria:
- Another app can launch it
- It runs in the same task as the calling app
- It doesn’t override the transition animation
- It doesn’t wait for the animation to finish before responding to user input
According to the researchers, animations stay enabled on the latest Android version by default unless users manually disable them through developer options or accessibility settings. Consequently, this default behavior exposes devices to TapTrap attacks.
While developing the attack, the team tested it on Android 15, the latest version available at the time. However, after Android 16 was released, they ran additional tests to confirm its behavior.
Marco Squarcina told BleepingComputer that they successfully tested TapTrap on a Google Pixel 8a running Android 16, confirming that the issue still has not been mitigated.
Meanwhile, GrapheneOS—a mobile operating system focused on privacy and security—also verified to BleepingComputer that Android 16 remains vulnerable to TapTrap. The team announced that their upcoming release will include a fix for the issue.
In response, BleepingComputer reached out to Google about TapTrap. A company spokesperson replied that Google will address the vulnerability in an upcoming update:
“Android is constantly improving its existing mitigations against tapjacking attacks. We are aware of this research and we will be addressing this issue in a future update. Google Play has policies in place to keep users safe that all developers must adhere to, and if we find that an app has violated our policies, we take appropriate action,” a Google representative told BleepingComputer.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
