Unlike traditional, overlay-based tapjacking, TapTrap attacks work even with zero-permission apps to launch a harmless transparent activity on top of a malicious one, a behavior that remains unmitigated in Android 15 and 16. The researchers say that animations are enabled on the latest Android version unless the user disables them from the developer options or accessibility settings, exposing the devices to TapTrap attacks. A novel tapjacking technique can exploit user interface animations to bypass Android's permission system and allow access to sensitive data or trick users into performing destructive actions, such as wiping the device. TapTrap abuses the way Android handles activity transitions with custom animations to create a visual mismatch between what the user sees and what the device actually registers. GrapheneOS, the mobile operating system focused on privacy and security, also confirmed to BleepingComputer that the latest Android 16 is vulnerable to the TapTrap technique, and announced that the their next release will include a fix. “The key to TapTrap is using an animation that renders the target activity nearly invisible,” the researchers say on a website that explains the attack. Marco Squarcina told BleepingComputer that they tried TapTrap on a Google Pixel 8a running Android 16 and they can confirm that the issue remains unmitigated. TapTrap was developed by a team of security researchers at TU Wien and the University of Bayreuth (Philipp Beer, Marco Squarcina, Sebastian Roth, Martina Lindorfer), and will be presented next month at the USENIX Security Symposium. To check if TapTrap could work with applications in Play Store, the official Android repository, the researchers analyzed close to 100,000. A malicious app installed on the target device launches a sensitive system screen (permission prompt, system setting, etc.) from another app using ‘startActivity()’ with a custom low-opacity animation. Thinking they interact with the bening app, a user may tap on specific screen positions that correspond to risky actions, such as an “Allow” or "Authorize" buttons on nearly invisible prompts. A video released by the researchers demonstrates how a game app could leverage TapTrap to enable camera access for a website via Chrome browser. “This can be achieved by defining a custom animation with both the starting and ending opacity (alpha) set to a low value, such as 0.01,” thus making the malicious or risky activity almost completely transparent. While developing the attack, the researchers used Android 15, the latest version at the time, but after Android 16 came out they also ran some tests on it. Google Play has policies in place to keep users safe that all developers must adhere to, and if we find that an app has violated our policies, we take appropriate action.”- a Google representative told BleepingComputer.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 08 Jul 2025 19:40:14 +0000