Researchers from TU Wien and the University of Bayreuth have discovered a critical Android vulnerability called TapTrap that allows malicious apps to bypass the operating system’s permission system without requiring any special permissions.
This zero-permission attack exploits Android’s activity transition animations to trick users into unknowingly granting sensitive permissions or performing destructive actions, including complete device erasure.
Unlike traditional tapjacking attacks that rely on malicious overlays, TapTrap leverages a previously unexplored mechanism: activity transition animations.
The attack works by creating a mismatch between what users see on their screen and the app’s actual state.
When a malicious app initiates a benign app’s activity that contains sensitive UI elements, it employs carefully crafted animations to render the target activity nearly transparent by setting alpha values to near 0.01.
During the animation, the transparent activity sits on top of the stack and handles touch events, while the malicious app remains visible underneath.
Users believe they are interacting with the malicious app’s interface, but the hidden sensitive activity registers their touches.
The attack window lasts up to 6 seconds due to a flaw in Android’s animation duration restrictions, though the attack remains effective even within the intended 3-second limit.
The research team analyzed 99,705 apps from the Google Play Store and found that 76.3% are vulnerable to TapTrap, though no evidence of active exploitation was discovered.
The attack enables several dangerous scenarios, including circumventing runtime permissions for location, camera, and microphone access, stealing notification content through notification listener permissions, and triggering complete device factory resets via device administrator privileges.
TapTrap’s impact extends beyond Android system components to web browsers supporting Custom Tabs.
Eight out of ten popular mobile browsers, including Chrome, Samsung Internet, and Firefox, are vulnerable to the attack.
This enables web-based clickjacking attacks and permission bypasses that persist even after the malicious app is uninstalled, as permissions remain associated with the browser rather than the removed app.
The vulnerability affects all Android versions, including the latest Android 15, making it the only known tapjacking attack effective on current systems.
While browser vendors have addressed the issue following responsible disclosure, Google’s Android Security Team has acknowledged the vulnerability but has not yet implemented a system-wide fix.
The researchers assigned two CVEs to document the security flaws and conducted a user study with 20 participants, where all participants failed to detect at least one attack variant.
Current Android mitigations fail against TapTrap because they target overlay-based attacks, not animation-based exploitation.
The researchers recommend system-level fixes rather than placing the responsibility for mitigation on individual app developers.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…