A new tapjacking technique, known as TapTrap, has emerged, raising concerns about its ability to exploit user interface animations on Android devices. This method can effectively bypass the platform’s permission system, granting access to sensitive data or misleading users into executing harmful actions, such as wiping their devices. Unlike traditional overlay-based tapjacking methods, TapTrap operates even with zero-permission applications, allowing a seemingly innocuous transparent activity to be layered over a malicious one. Alarmingly, this vulnerability persists in both Android 15 and 16.
Developed by a dedicated team of security researchers from TU Wien and the University of Bayreuth—comprising Philipp Beer, Marco Squarcina, Sebastian Roth, and Martina Lindorfer—TapTrap is set to be unveiled at the upcoming USENIX Security Symposium. In anticipation of this presentation, the researchers have already shared a technical paper detailing the attack, along with a website summarizing its key aspects.
How TapTrap works
At the heart of TapTrap lies a clever manipulation of how Android manages activity transitions through custom animations. This technique creates a visual dissonance between what users perceive and what the device actually registers. When a malicious app is installed on a target device, it can launch a sensitive system screen—such as a permission prompt or system setting—from another app using the ‘startActivity()’ function, accompanied by a custom low-opacity animation.
The researchers explain, “The key to TapTrap is using an animation that renders the target activity nearly invisible.” By defining a custom animation with both the starting and ending opacity set to a low value, such as 0.01, the risky activity becomes almost completely transparent. An optional scale animation can further enhance this effect, zooming in on specific UI elements, like a permission button, thereby increasing the likelihood that users will inadvertently interact with it.
Source: taptrap.click
As the malicious prompt receives all touch events, users are left seeing only the underlying app’s UI elements. This deceptive setup can lead users to tap on specific screen locations that correspond to risky actions, such as pressing “Allow” or “Authorize” buttons on nearly invisible prompts. A demonstration video released by the researchers illustrates how a gaming app could exploit TapTrap to gain camera access for a website via the Chrome browser.
[embedded content]
Risk exposure
To evaluate the potential impact of TapTrap on applications available in the Play Store, the researchers analyzed nearly 100,000 apps. Their findings revealed that 76% of these applications are vulnerable to TapTrap, as they feature a screen (“activity”) that meets several specific conditions:
- Can be launched by another app
- Runs in the same task as the calling app
- Does not override the transition animation
- Does not wait for the animation to finish before responding to user input
Animations remain enabled in the latest Android versions unless users disable them through developer options or accessibility settings, thus leaving devices exposed to TapTrap attacks. The researchers initially developed the attack using Android 15 and later confirmed its effectiveness on Android 16, including tests conducted on a Google Pixel 8a.
Marco Squarcina informed BleepingComputer that the issue remains unaddressed in Android 16. Additionally, GrapheneOS, a mobile operating system focused on privacy and security, has confirmed its vulnerability to the TapTrap technique and announced that a fix will be included in their next release.
In response to inquiries about TapTrap, a Google spokesperson stated that the company is aware of the research and plans to address the issue in a future update. “Android is constantly improving its existing mitigations against tapjacking attacks. We are aware of this research and we will be addressing this issue in a future update. Google Play has policies in place to keep users safe that all developers must adhere to, and if we find that an app has violated our policies, we take appropriate action,” the representative assured.