A new attack called TapTrap exploits Android’s activity transition animations to trick users into granting sensitive permissions without their knowledge. Unlike traditional overlay attacks, TapTrap uses transparent activities during app transitions, making it virtually undetectable and effective even on Android 15.
Researchers at TU Wien discovered the vulnerability after analyzing how Android handles app-to-app transitions. The attack works by launching a legitimate app with near-transparent animations, allowing malicious apps to position invisible buttons exactly where users expect to interact with their own interface.
How the Attack Works
“We tried this out by creating a simple game where you collect points by tapping little bugs on the screen,” explains Philipp Beer from TU Wien’s Security and Privacy Group. “But the game then opens another app, such as a browser. We can now place our bugs from the game wherever we want so that the exact position on the screen is tapped.”
The attack exploits Android’s activity transition animations, which typically make app switches visually smooth. By setting the launched app’s opacity to nearly zero (around 0.01), the malicious app remains visible while the transparent app actually receives user taps.
Attack Capabilities
TapTrap can bypass multiple Android security mechanisms with devastating effects:
- Runtime permissions: Secretly grants access to camera, microphone, and location
- Notification access: Intercepts sensitive notifications including 2FA codes
- Device admin privileges: Enables remote device wiping and locking
- Web clickjacking: Tricks users into granting browser permissions
The researchers tested the attack on 20 participants using a bug-catching game. All participants failed to detect at least one variant of the attack, even after being warned about potential security threats.
Browser Vulnerabilities
TapTrap also affects web browsers through Android’s Custom Tabs feature. The attack can grant malicious websites persistent permissions that remain even after uninstalling the originating app. Chrome, Firefox, and other major browsers were initially vulnerable, though Chrome and Firefox have since implemented fixes.
Current Android Status
The research team analyzed 99,705 apps from Google Play Store and found no evidence of TapTrap being exploited in the wild. However, 76.3% of analyzed apps are vulnerable to the attack method.
“We examined around 100,000 apps from the Play Store and didn’t find any that exploit this vulnerability,” notes Beer. “We therefore hope that the vulnerability has not yet done any real damage – but of course the problem needs to be fixed.”
The team discovered an additional flaw that allows animations to run for up to 6 seconds instead of the intended 3-second limit, effectively doubling the attack window. Google marked this as “WontFix,” stating it doesn’t affect platform security.
Current Protections
Android 15 remains vulnerable to TapTrap attacks as of June 2025. Current mitigation options include:
- Disabling app animations in accessibility settings
- Monitoring status bar icons for unexpected camera/microphone access
- Only installing apps from trusted sources
The research team has proposed system-level solutions, including blocking touch events during low-opacity transitions and limiting zoom effects in animations. However, these fixes have not yet been implemented in Android.
ScienceBlog.com has no paywalls, no sponsored content, and no agenda beyond getting the science right. Every story here is written to inform, not to impress an advertiser or push a point of view.
Good science journalism takes time — reading the papers, checking the claims, finding researchers who can put findings in context. We do that work because we think it matters.
If you find this site useful, consider supporting it with a donation. Even a few dollars a month helps keep the coverage independent and free for everyone.