TapTrap Attack Exploits UI Animations to Bypass Android’s Permission System

Red Dog Security

2 min read
TapTrap Attack Exploits UI Animations to Bypass Android’s Permission System

Security researchers have uncovered a new technique—dubbed TapTrap—that exploits Android’s user interface (UI) animations to bypass the platform’s permission system. The attack allows malicious apps to steal sensitive data or trick users into performing dangerous actions, including factory-resetting their devices.

What Is TapTrap?

TapTrap is a modern form of tapjacking, a mobile adaptation of clickjacking, where users are tricked into tapping UI elements that appear harmless but perform malicious actions in the background.

Unlike traditional tapjacking—which typically requires overlay permissions—TapTrap can be executed by apps with zero permissions, making it particularly dangerous. It works by launching transparent activities that visually mislead users, even on Android 15 and 16.

How TapTrap Works

Developed by researchers from TU Wien (Vienna University of Technology) and the University of Bayreuth, TapTrap exploits Android activity transition animations to create a disconnect between what users see and what actually happens on screen.

Attack Flow:

  1. Malicious App Setup
    A malicious app invokes a system screen (e.g., permission prompt or settings page) using startActivity().
    It applies a nearly invisible transition animation (e.g., with an alpha value of 0.01), making the new activity practically transparent.
  2. Deceptive Interaction
    Users believe they’re interacting with a legitimate app interface.
    In reality, their taps are intercepted by the hidden activity.
    Scaling animations can also enlarge key UI elements like "Allow" buttons, increasing the chance of accidental interaction.
  3. Exploitation
    Without realizing it, users may:
    • Grant sensitive permissions
    • Enable malicious settings
    • Trigger commands like factory reset

Proof of Concept

In a demonstration video, the researchers showed how a game app could exploit TapTrap to hijack Chrome’s camera permissions—without ever alerting the user.

Scope of the Vulnerability

Researchers analyzed nearly 100,000 apps from the Google Play Store and found that 76% were potentially vulnerable. Apps were classified as at-risk if they:

  • Allowed activities to be launched by other apps
  • Shared the same task stack as the calling app
  • Did not override transition animations
  • Accepted user input before the animation completed

Affected Versions

  • Initially tested on Android 15
  • Confirmed to work on Android 16 (Google Pixel 8a)
  • The issue persists unless users manually disable animations in Developer Options or Accessibility Settings

Google’s Response

Google acknowledged the findings and issued the following statement:

“Android continuously improves tapjacking protections. We’re aware of this research and will address it in a future update. Google Play enforces strict security policies, and violations will be met with appropriate action.”

Mitigation Recommendations

Until an official patch is released, users are advised to:

  • Disable animations via Developer Options or Accessibility settings
  • Exercise caution when granting permissions or interacting with unfamiliar apps
  • Limit app installs to trusted sources, such as the Google Play Store

What’s Next?

The TapTrap research will be presented at the USENIX Security Symposium next month. A technical paper and dedicated website outlining the attack are already available to the public.

Read more