Redazione RHC : 11 July 2025 20:27
TapTrap exploits user interface animations to bypass Android’s permissions system, allowing it to access sensitive data or trick the user into performing destructive actions, such as factory resetting the device. The TapTrap attack is a type of tapjacking, the mobile equivalent of clickjacking. In these attacks, the attacker tricks the user into clicking on a seemingly harmless element, which actually causes an unwanted action in the background.
However, unlike traditional overlay tapjacking, TapTrap can also be used by zero-permission apps, allowing them to launch seemingly harmless transparent activities on malicious ones. Furthermore, this method also works on Android 15 and 16.
TapTrap was developed by a team from the Technical University of Vienna (TU Wien) and the University of Bayreuth. The new technique will be presented next month at the USENIX Security Symposium. However, researchers have already published a white paper describing the attack and created a website detailing its key details.
TapTrap exploits Android’s handling of task transitions using custom animations to create a visual inconsistency between what the user sees and what actually happens on the device’s screen. A malicious app installed on the target device launches a system screen with sensitive information (such as a permission request or system settings) on behalf of another app by calling startActivity() and running a custom animation with near-transparency.
“The key to TapTrap is the use of animations that make the target activity virtually invisible,” the researchers explain. “This is achieved through a custom animation with the starting and ending alpha values set to very low values, such as 0.01. This makes the malicious or risky activity almost completely transparent. Additionally, a zoom animation can be used to enlarge a specific interface element (such as an Authorize button) and display it full-screen, increasing the likelihood that the user will tap it.”
Although the launched prompt accepts all taps, the user only sees the application’s main interface, above which is a virtually transparent activity with which they actually interact. Believing they were dealing with a harmless application, the user might click on certain areas of the screen, without realizing they were pressing buttons like “Allow” or “Authorize” in a nearly invisible window.
A video published by researchers demonstrates how a gaming app can use TapTrap to access the camera via the Chrome browser on behalf of a website. To find out if TapTrap worked with apps from the Google Play Store, Android’s official app store, the researchers analyzed nearly 100,000 apps. It turned out that 76% of them were vulnerable because they contained activities that met the following conditions:
According to the researchers, animations are enabled by default in the latest version of Android. Unless the user disables them via developer settings or accessibility options, the device remains vulnerable to TapTrap.
Although the attack was initially created for Android 15 (the current version at the time), with the release of Android 16, the experts later tested TapTrap on it as well. The team then tested TapTrap on the Google Pixel 8a running Android 16, and the issue was also found in the latest version of the operating system. Google representatives told the media that TapTrap will be fixed in a future update.
Redazione