TapTrap Archives

AppWizard

July 12, 2025

New Android TapTrap attack fools users with invisible UI trick

A new tapjacking technique called TapTrap can exploit user interface animations on Android devices, bypassing the permission system and potentially allowing access to sensitive data or harmful actions. TapTrap operates with zero-permission applications, layering a transparent activity over a malicious one. This vulnerability exists in both Android 15 and 16. Developed by researchers from TU Wien and the University of Bayreuth, TapTrap manipulates activity transitions using custom low-opacity animations, making risky prompts nearly invisible to users. An analysis of nearly 100,000 apps revealed that 76% are vulnerable to TapTrap due to specific conditions related to activity launching and animation handling. The attack has been confirmed on Android 16, including tests on a Google Pixel 8a. GrapheneOS has acknowledged its vulnerability to TapTrap and plans to include a fix in its next release. Google is aware of the issue and intends to address it in a future update.

AppWizard

July 9, 2025

TapTrap Android Exploit Allows Malicious Apps to Bypass Permissions

A new Android vulnerability named TapTrap allows malicious applications to bypass the operating system's permission system without requiring special permissions. It exploits activity transition animations to mislead users into granting sensitive permissions or executing harmful actions. Researchers from TU Wien analyzed 99,705 applications on the Google Play Store and found that 76.3% are susceptible to this attack. TapTrap uses low-opacity animations (approximately 0.01 alpha) to make sensitive permission dialogs nearly invisible while still registering touch events. The attack can last up to six seconds and can lead to unauthorized access to critical functionalities like the camera and microphone, and even device administrator privileges. TapTrap bypasses existing defenses against tapjacking in Android, affecting popular web browsers as well. A user study showed that all participants failed to detect at least one variant of the attack. As of June 2025, Android 15 remains vulnerable, with no timeline for a comprehensive fix. The vulnerability has been assigned two CVEs, and researchers disclosed their findings to Google in October 2024. They propose solutions to mitigate the risks, including blocking touch events during low-opacity animations and setting an opacity threshold of 0.2.

AppWizard

July 9, 2025

Researchers Warn: This Android Animation Glitch Lets Apps Spy, Snap, and Steal… Undetected

A technique for Android devices called TapTrap allows malicious applications to intercept user taps without requiring special permissions. It uses transparent screen transitions to mislead users into triggering hidden actions. Devices running Android versions 15 and 16 are particularly vulnerable. TapTrap operates by overlaying a nearly transparent screen on top of another application, making it appear as if users are interacting with one app while their taps are registered by the hidden screen. A study of around 100,000 Android applications revealed that approximately 76 percent contained screens vulnerable to TapTrap. The researchers successfully executed the attack on a Google Pixel 8a running Android 16. Google has acknowledged the issue and plans to include a fix in a future software update, but no specific timeline has been provided. Users can enhance their security by disabling animations in their system settings.