Alarming TapTrap Attack Employs An Invisible UI Trick To Bypass Android Security

A group of security researchers has developed an alarming tapjacking attack called TapTrap, which allows zero-permission apps to carry out actions that are not displayed on the screen. With TapTrap, an app can escape Android's security safeguards and eventually access sensitive data, or even do dangerous (and annoying) things like wiping your phone.

Here's how it works. Android uses transition animations to visually show how you move from one app to another. When you switch from App A to App B, the system plays a closing animation for App A and an opening animation for App B. TapTrap leverages this animation method such that App A can open App B, but you won't know because the screen still displays App A. Additionally, whatever you tap on App A will reflect in App B.

According to the developers, this was made possible using an animation that renders the target activity (App B) nearly invisible. Basically, App B is working, but you do not know because the opacity is very low.


So, you may be playing a game on your Android and tapping specific areas on the screen that allow you to win points, but unknown to you, these areas correspond to an "Allow Permissions" button on the app you're not seeing. All you think you're doing is winning points, but you've just allowed a malicious app to access sensitive data, something you wouldn't do normally. That's how dangerous TapTrap is.

While Google (there was an urgent update for Google chrome users by the way) and other major browsers have found a way to fix this attack, Android remains vulnerable. Even the latest versions, Android 15 and 16 (a new display feature will likely be added) are open to the TapTrap attack. Android is reportedly working on mitigating the issue in a future update. For now, about 76% of Play Store apps are an open floor for TapTrap.