A new attack called the TapTrap vulnerability has tricked Android’s active transition animations to induce users to grant sensitive permissions without their knowledge. Unlike traditional overlay attacks, TapTrap uses transparent activity during application transitions, even on Android 15, it is almost impossible to detect.
Tu Wien researchers discovered a vulnerability after analyzing how Android handles the transition to apps. The attack works by launching a legitimate application with near-transparent animations, allowing malicious applications to position the invisible buttons completely where the user expects to interact with their interface.
How attacks work
“We try this by creating a simple game where you can collect points by tapping small errors on the screen,” explains Philipp Beer in Tu Wien’s Security and Privacy Group. “But the game then opens another app, like a browser. Now we can place the errors in the game anywhere we want to click the exact location on the screen.”
The attack takes advantage of Android’s activity transition animations, which usually smooths the application switches visually. By setting the opacity of the launched application to almost zero (approximately 0.01), the malicious application is still visible when the transparent application actually receives the user faucet.
https://www.youtube.com/watch?v=-xma6dx7cb8
Attack ability
TapTrap can bypass a variety of Android security mechanisms with devastating effects:
- Runtime License: Secretly allow camera, microphone and location
- Notification access: Intercept sensitive notifications, including 2FA codes
- Equipment Management Privileges: Enable remote device wiping and locking
- Web Click Jacket: Spoofing users to grant browser permissions
The researchers attacked 20 participants using the capture error game. Even when a potential security threat was warned, all participants failed to detect at least one variant of the attack.
Browser vulnerability
TapTrap also affects web browsers through Android’s custom tags feature. Attacks can be granted to malicious websites, and these attacks remain even after the original application is uninstalled. Chrome, Firefox and other major browsers were initially vulnerable, although Chrome and Firefox have since implemented fixes.
Current Android status
The team analyzed 99,705 apps from the Google Play Store and found no evidence of using Taptrap in the wild. However, 76.3% of analytical applications are vulnerable to attack methods.
“We checked about 100,000 apps from the Play Store, but didn’t find any apps that exploited this vulnerability,” Beer said. “So we hope that the vulnerability has not done any real damage yet, but of course, the problem needs to be solved.”
The team discovered an additional flaw that allowed the animation to run for up to 6 seconds instead of the expected 3-second limit, effectively doubling the attack window. Google tagged it as “Wontfix” and pointed out that it does not affect platform security.
Current protection
As of June 2025, Android 15 is still vulnerable to TAPTRAP attacks. Current mitigation options include:
- Disable application animation in accessibility settings
- Monitoring status bar icon for accidental camera/microphone access
- Install apps only from trusted sources
The team proposed system-level solutions that include blocking touch events during low-public transitions and limiting zoom effects in animations. However, these fixes have not been implemented in Android.
Related
If our report has been informed or inspired, please consider donating. No matter how big or small, every contribution allows us to continue to provide accurate, engaging and trustworthy scientific and medical news. Independent news takes time, energy and resources – your support ensures that we can continue to reveal the stories that matter most to you.
Join us to make knowledge accessible and impactful. Thank you for standing with us!
