A group of researchers has just discovered a clever (and worrying) new tapjacking technique called TapTrap, which can use Android system animations to bypass security permissions. In other words, it can trick users into granting access to sensitive information or even deleting their entire device... without them realizing it.
The curious (and dangerous) thing is that, unlike traditional tapjacking (which relies on overlaying visible windows), TapTrap works without requiring special permissions. It can activate an “innocent” screen at the same time as another with malicious intent. And worst of all, this trick is still effective even on the latest versions of Android, such as 15 and 16.
Behind this discovery is a group of security specialists from the Vienna University of Technology and the University of Bayreuth (Philipp Beer, Marco Squarcina, Sebastian Roth, and Martina Lindorfer). Although the official presentation will be next month, they have already shared a complete technical document and even created a website where they explain everything step by step.
TapTrap takes advantage of how Android displays transitions between screens using custom animations. What it does is create a “visual deception”: the user thinks they are seeing one thing, but in reality the device is recording something completely different.
Let's explain with an example: a malicious app installed on the phone launches an important system screen in the background, such as a request for permissions or device settings. To achieve this, it uses a trick called startActivity() along with an animation that makes it virtually invisible.
According to the researchers, the key is in that custom animation: they make the opacity (i.e., how visible the screen is) as low as 0.01. This makes the new activity, even though it is there, almost transparent, and the user is unaware that they are interacting with it.
To top it off, they can apply a zoom effect that makes, for example, an “allow access” button enlarge and take up a large part of the screen. This makes it much more likely that the user will accidentally touch it while thinking they are doing something completely innocent.
TapTrap overview (Source: taptrap.click)
Although the system detects the user's taps on a screen, what the person actually sees is something completely different: the “normal” app that appears to be running in the foreground. But in reality, on top of all that, there is an almost invisible screen that is recording the taps. A complete deception.
This makes the user think they are interacting with something harmless (such as a game or a well-known app), when in fact they are unintentionally tapping dangerous buttons such as “Allow” or “Authorize,” which can give access to the camera, microphone, or other sensitive data.
In fact, researchers showed in a video how a simple game could use TapTrap to get the Chrome browser to grant access to the camera... without the user ever noticing.
Read more: Malicious Extensions in Chrome with 1.7 Million Downloads
To find out if this attack could affect apps we use every day, the team analyzed some 100,000 apps from the Play Store. The result? Approximately 76% are vulnerable to TapTrap because they meet certain technical conditions, such as:
They allow another app to launch one of their screens.
That screen runs within the same “task” as the malicious app.
They do not disable default animations.
And they also react to user touch before the animation ends.
What's worrying? These animations are enabled by default on Android, and most users don't even know that they can be disabled from the developer options or accessibility settings.
The attack was developed using Android 15, but they also tested it with Android 16 (the latest version at the time of writing) on a Google Pixel 8a. And yes, it still works.
Even GrapheneOS (a privacy-focused operating system) confirmed that Android 16 is vulnerable. Fortunately, they have already announced that they will soon release an update with a fix.
As for Google, they said they are aware of the problem and plan to fix it in an upcoming system update. They also noted that Google Play policies prohibit this type of behavior and that they will take action if any app violates them.