NewApp Digest
search bot

Android vulnerability

Boffins build automated Android bug hunting system
AppWizard
September 6, 2025

Boffins build automated Android bug hunting system

Researchers from Nanjing University and The University of Sydney have developed an AI vulnerability identification system called A2, which is designed to discover and validate vulnerabilities in Android applications. A2 achieves 78.3 percent coverage on the Ghera benchmark, outperforming static analyzers like APKHunt, which only reaches 30.0 percent. In testing on 169 production APKs, A2 identified 104 true-positive zero-day vulnerabilities, with 57 validated through automatically generated proof-of-concept exploits. One identified vulnerability was a medium-severity flaw in an Android app with over 10 million installs, specifically an intent redirect issue. A2 integrates various commercial AI models for planning, execution, and validation of tasks, improving upon its predecessor, A1, which lacked robust validation. The system effectively reduces false positives by providing valuable signals rather than overwhelming noise.
TapTrap Android Exploit Allows Malicious Apps to Bypass Permissions
AppWizard
July 9, 2025

TapTrap Android Exploit Allows Malicious Apps to Bypass Permissions

A new Android vulnerability named TapTrap allows malicious applications to bypass the operating system's permission system without requiring special permissions. It exploits activity transition animations to mislead users into granting sensitive permissions or executing harmful actions. Researchers from TU Wien analyzed 99,705 applications on the Google Play Store and found that 76.3% are susceptible to this attack. TapTrap uses low-opacity animations (approximately 0.01 alpha) to make sensitive permission dialogs nearly invisible while still registering touch events. The attack can last up to six seconds and can lead to unauthorized access to critical functionalities like the camera and microphone, and even device administrator privileges. TapTrap bypasses existing defenses against tapjacking in Android, affecting popular web browsers as well. A user study showed that all participants failed to detect at least one variant of the attack. As of June 2025, Android 15 remains vulnerable, with no timeline for a comprehensive fix. The vulnerability has been assigned two CVEs, and researchers disclosed their findings to Google in October 2024. They propose solutions to mitigate the risks, including blocking touch events during low-opacity animations and setting an opacity threshold of 0.2.
Researchers Warn: This Android Animation Glitch Lets Apps Spy, Snap, and Steal... Undetected
AppWizard
July 9, 2025

Researchers Warn: This Android Animation Glitch Lets Apps Spy, Snap, and Steal… Undetected

A technique for Android devices called TapTrap allows malicious applications to intercept user taps without requiring special permissions. It uses transparent screen transitions to mislead users into triggering hidden actions. Devices running Android versions 15 and 16 are particularly vulnerable. TapTrap operates by overlaying a nearly transparent screen on top of another application, making it appear as if users are interacting with one app while their taps are registered by the hidden screen. A study of around 100,000 Android applications revealed that approximately 76 percent contained screens vulnerable to TapTrap. The researchers successfully executed the attack on a Google Pixel 8a running Android 16. Google has acknowledged the issue and plans to include a fix in a future software update, but no specific timeline has been provided. Users can enhance their security by disabling animations in their system settings.
Google Play Store’s Bug Bounty Program to End on August 31
AppWizard
August 21, 2024

Google Play Store’s Bug Bounty Program to End on August 31

Google's bug bounty program for Android apps, the Google Play Security Reward Program (GPSRP), will conclude on August 31, 2024. Launched in 2017, the program incentivized researchers to find security vulnerabilities in popular Android applications, initially targeting select developers with rewards up to ,000 for critical issues. In 2019, it expanded to all apps with over 100 million downloads, increasing potential payouts to 0,000. The decision to end the program is due to a decline in actionable vulnerabilities reported, attributed to improvements in Android OS security. Google will continue investing in other security initiatives, such as the Android Vulnerability Rewards Program (AVRP). Researchers are encouraged to submit findings before the program ends, with reports due by September 15 and final decisions by September 30.
Google to remove app from Pixel devices following claims that it made phones vulnerable
AppWizard
August 16, 2024

Google to remove app from Pixel devices following claims that it made phones vulnerable

Google and iVerify are in conflict over the security implications of an application called "Showcase.apk," found on many Android Pixel devices since September 2017. iVerify claims that this app, which operates at the system level, makes these devices vulnerable to man-in-the-middle (MITM) attacks. The app was discovered on a Palantir employee's device, leading Palantir to confirm that it compromises security and announce plans to phase out Android devices. Google disputes iVerify's claims, stating that the app is not a vulnerability of the Android platform but was developed by Smith Micro for Verizon's in-store demonstrations. Google plans to remove the app from supported Pixel devices and asserts that exploiting it requires physical access and the user's password. Verizon confirmed that the demo capability of the app is no longer used. iVerify's co-founder criticized Google's distribution of the app and expressed concerns about the inability to remove it, labeling it an Android vulnerability. iVerify warns that this situation creates an "untrusted ecosystem" for corporate security, as millions of Android devices are used in workplaces. Researchers speculate that cybercriminals could exploit vulnerabilities in the app's infrastructure.
Nearly All Google Pixel Phones Exposed by Unpatched Flaw in Hidden Android App
AppWizard
August 15, 2024

Nearly All Google Pixel Phones Exposed by Unpatched Flaw in Hidden Android App

A vulnerability has been identified in Google Pixel devices, linked to a software package called “Showcase.apk,” which has existed in every Android release for these devices since September 2017. This application, created by Smith Micro for Verizon, operates at the system level and has extensive privileges, including remote code execution and the ability to install software remotely. It downloads configuration files via an unencrypted HTTP connection, making it susceptible to exploitation. iVerify disclosed this vulnerability to Google in early May, but a fix has not yet been released. Google has stated that Showcase is no longer in use by Verizon and that an update to remove it from supported Pixel devices is forthcoming. There is currently no evidence of active exploitation, and the app is absent in the newly announced Pixel 9 series. However, concerns remain about the potential for exploitation, particularly if a remote activation method is discovered. iVerify also speculates that Showcase could be present in other Android devices, and Google is notifying other manufacturers about the issue.
New Android security flaw lets hackers seize control of apps — uninstall these immediately
AppWizard
May 5, 2024

New Android security flaw lets hackers seize control of apps — uninstall these immediately

A critical security vulnerability known as "Dirty Stream" has been discovered in the Android ContentProvider system, allowing attackers to hijack communications between apps. Over four billion installations of Android apps are affected by this vulnerability, with popular apps like Xiaomi Inc.’s File Manager and WPS Office being patched. Users are advised to avoid sideloading apps and activate Google Play Protect on their devices to safeguard against malware.
Search