Security researchers discover novel animation-based vulnerability affecting 76% of Android apps.
Security researchers at TU Wien have uncovered a sophisticated new attack vector dubbed “TapTrap” that enables malicious Android applications to bypass the operating system’s permission system and execute destructive actions without user knowledge.
The attack exploits a previously unknown vulnerability in Android’s activity transition animations, affecting even the latest Android 15 release.
How TapTrap Works
Unlike traditional tapjacking attacks that rely on overlaying malicious windows over legitimate apps, TapTrap leverages Android’s built-in activity transition animations to create a deceptive user interface.
The attack works by launching a transparent activity on top of a legitimate permission dialog or sensitive interface, making it nearly invisible to users while still capturing their touch inputs.
“TapTrap represents a fundamentally different approach to UI-based attacks,” explained the research team.
“By exploiting animations rather than overlays, it bypasses all existing Android security mitigations designed to prevent tapjacking.”
The attack requires no special permissions, making malicious apps appear completely harmless during the installation process.
Within a 3-6 second window (extended due to an Android implementation bug), attackers can trick users into granting sensitive permissions or performing critical actions.
The researchers demonstrated several alarming attack scenarios:
- Permission Bypass: Malicious apps can secretly obtain access to the camera, microphone, location, contacts, and other sensitive data without user awareness
- Notification Interception: Attackers can gain access to all device notifications, including two-factor authentication codes
- Device Erasure: The attack can escalate to completely wiping a device by tricking users into granting device administrator privileges
- Web Vulnerabilities: TapTrap extends beyond Android, enabling clickjacking attacks against popular browsers, including Chrome, Firefox, Edge, and Samsung Internet.
Widespread Vulnerability
The research team analyzed 99,705 Android applications from the Google Play Store, revealing that 76.3% are vulnerable to TapTrap attacks.
Fortunately, their investigation found no evidence of active exploitation in the wild, suggesting this represents a previously unknown threat vector.
To assess real-world impact, researchers conducted a user study with 20 participants. Alarmingly, every single participant failed to detect at least one attack variant, even after being informed about potential security threats.
Only 21% of uninformed users noticed security indicators when the camera was accessed covertly.
The researchers responsibly disclosed their findings to Google and affected browser vendors in October 2024. While Chrome version 135 and Firefox version 136 have implemented protections, Android 15 remains vulnerable as of June 2025.
Google acknowledged the issue but has not provided a timeline for system-level fixes.
The vulnerability has been assigned two CVEs (CVE-2025-3067 for Chrome and CVE-2025-1939 for Firefox), with Chrome awarding the researchers a $10,000 bug bounty.
Currently, app developers can implement limited protections by preventing custom animations on sensitive activities or deferring input handling until animations complete. However, researchers emphasize that comprehensive protection requires system-level changes from Google.
The research team proposes blocking touch events when animation opacity falls below defined thresholds and limiting extreme zoom effects during transitions.
Until Android implements these protections, users remain vulnerable to this sophisticated attack vector that undermines fundamental assumptions about mobile interface security.
This discovery underscores the dynamic nature of mobile security threats and the necessity for ongoing vigilance in safeguarding user privacy and device integrity.
Think like an Attacker, Mastering Endpoint Security With Marcus Hutchins – Register Now
