Security researchers at TU Wien have identified a novel attack vector named TapTrap, which enables malicious Android applications to circumvent the operating system’s permission system and perform harmful actions without user consent. This vulnerability exploits Android’s activity transition animations and affects even the latest Android 15 release.
Understanding TapTrap
Traditional tapjacking attacks typically involve overlaying malicious windows over legitimate applications to deceive users into unintended actions. In contrast, TapTrap manipulates Android’s built-in activity transition animations to create a deceptive user interface. By launching a transparent activity over a legitimate permission dialog or sensitive interface, the attack captures user inputs without their awareness.
The research team explained that TapTrap represents a fundamentally different approach to UI-based attacks. By exploiting animations rather than overlays, it bypasses existing Android security measures designed to prevent tapjacking. Notably, this attack does not require special permissions, allowing malicious apps to appear harmless during installation. Within a 3-6 second window—extended due to an Android implementation bug—attackers can trick users into granting sensitive permissions or performing critical actions.
Potential Consequences of TapTrap
The researchers demonstrated several alarming scenarios enabled by TapTrap:
– Permission Bypass: Malicious apps can secretly gain access to the camera, microphone, location, contacts, and other sensitive data without user awareness.
– Notification Interception: Attackers can access all device notifications, including two-factor authentication codes.
– Device Erasure: The attack can escalate to completely wiping a device by tricking users into granting device administrator privileges.
– Web Vulnerabilities: TapTrap extends beyond Android, enabling clickjacking attacks against popular browsers, including Chrome, Firefox, Edge, and Samsung Internet.
Scope of the Vulnerability
An analysis of 99,705 Android applications from the Google Play Store revealed that 76.3% are vulnerable to TapTrap attacks. Fortunately, the investigation found no evidence of active exploitation in the wild, suggesting this is a previously unknown threat vector.
To assess real-world impact, researchers conducted a user study with 20 participants. Alarmingly, every participant failed to detect at least one attack variant, even after being informed about potential security threats. Only 21% of uninformed users noticed security indicators when the camera was accessed covertly.
Disclosure and Mitigation Efforts
The researchers responsibly disclosed their findings to Google and affected browser vendors in October 2024. While Chrome version 135 and Firefox version 136 have implemented protections, Android 15 remains vulnerable as of June 2025. Google acknowledged the issue but has not provided a timeline for system-level fixes.
The vulnerability has been assigned two CVEs (CVE-2025-3067 for Chrome and CVE-2025-1939 for Firefox), with Chrome awarding the researchers a $10,000 bug bounty.
Currently, app developers can implement limited protections by preventing custom animations on sensitive activities or deferring input handling until animations complete. However, researchers emphasize that comprehensive system-level fixes are necessary to fully address the vulnerability.
