Security researchers have uncovered a novel tapjacking attack dubbed TapTrap, which exploits Android’s activity-transition animations to manipulate user interactions covertly.
Discovered in mid-2025, this zero-permission attack bypasses all existing overlay-based defenses implemented by Google since Android 6.0, posing a significant risk to millions of devices and a vast majority of apps on the Play Store, even on the latest Android 16.
TapTrap: A Stealthy Animation Exploit
Unlike traditional tapjacking attacks that rely on malicious overlays, TapTrap manipulates Android’s own UI animations using APIs like overridePendingTransition() and ActivityOptions.makeCustomAnimation().
By setting extremely low opacity levels—near 0.01—for fade or zoom animations, a malicious app can launch a sensitive system screen, such as a permission dialog, render it nearly invisible, and trick users into approving it without their knowledge.
The user continues to see the benign app’s interface while their taps are redirected to the hidden activity.
The attack’s effectiveness is amplified by a flaw in Android’s animation system, where a bug in Animation.java extends the default three-second animation window to six seconds, giving attackers a longer timeframe to execute their deception.
Researchers demonstrated several dangerous payloads, including:
- Permission Bypass: Tricking users into granting access to camera or location data.
- Notification Hijacking: Silently enabling notification listener services with hidden taps.
- Device Erasure: Activating Device Administrator privileges to enable remote factory resets.
In user studies, all 20 participants failed to detect at least one variant of the attack, with 79% missing even obvious indicators like the camera activation dot, highlighting TapTrap’s stealth.
Widespread Vulnerability Across Android Ecosystem
A comprehensive analysis of 99,705 Play Store apps revealed a staggering attack surface.
Approximately 76.3% of these apps—over 76,000—are vulnerable to TapTrap due to externally launchable activities that run in the same task and fail to restrict custom animations or defer input handling during transitions. Key findings include:
| Vulnerability Metric | Count | Percentage |
|---|---|---|
| Apps with externally launchable activities | 99,278 | 99.7% |
| Apps running activities in same task | 98,478 | 98.9% |
| Apps overriding entry animations | 37,017 | 37.2% |
| Apps waiting for animation completion | 599 | 0.6% |
| Apps fully vulnerable to TapTrap | 76,035 | 76.3% |
While no evidence of active exploitation was found in the analyzed apps, the sheer number of vulnerable applications signals a potential goldmine for cybercriminals once proof-of-concept code becomes public.
Why Current Defenses Are Powerless
Android’s existing tapjacking defenses, such as FLAG_WINDOW_IS_OBSCURED, setFilterTouchesWhenObscured(), and system-level filters introduced up to Android 12, target overlay windows and specific permissions like SYSTEM_ALERT_WINDOW.
TapTrap, however, operates without overlays, exploiting animations instead, rendering these protections ineffective.
Even privacy indicators in the status bar fail to alert users to many of TapTrap’s actions, such as location access or Device Administrator elevation.
Google has acknowledged the vulnerability but has not yet provided a timeline for a system-wide patch.
As of June 2025, Android 15 remains vulnerable, though some browser vendors like Chrome and Firefox have implemented mitigations for web-based exploits following the researchers’ disclosure.
Protecting Against TapTrap: What Can Be Done?
Until a platform-level fix is rolled out, researchers and security experts suggest immediate steps for stakeholders to mitigate risks:
- For Developers: Override animations in sensitive activities with
overridePendingTransition(0,0), defer input handling until animations are complete, and validate touch events for partial obscuration. - For Security Teams: Scan apps for risky animations with low opacity or high zoom factors, and conduct dynamic testing to detect unintended permission grants during transitions.
- For Users: Disable system animations in Developer Options for a safer, albeit less smooth, experience, and remain vigilant for unexpected privacy indicators or app behavior.
TapTrap represents a critical blind spot in Android’s security architecture, turning a feature designed for aesthetic appeal into a weapon for stealthy attacks.
With billions of devices at risk, the urgency for a robust defense—potentially enforcing opacity thresholds or limiting touch events during low-visibility transitions—has never been greater.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
.webp?w=1200&resize=1200,0&ssl=1&description=Security researchers have uncovered a novel tapjacking attack dubbed TapTrap, which exploits Android's activity-transition animations.){kind=link}