Phishing simulation Awareness training Data breach detection About Blog Resources Pricing Contact
Get started Log in

New Android exploit: TapTrap malware

TapTrap malware exploits Android animations to hide prompts and bypass permissions, putting user data at risk.

10-07-2025 - 7 minute read. Posted in: cybercrime.

New Android exploit: TapTrap malware

TapTrap malware puts Android devices at risk

A newly discovered Android malware vulnerability known as TapTrap allows malicious apps to secretly gain access to sensitive data by taking advantage of how Android displays screen animations. The attack tricks users into tap actions on invisible buttons, making it possible to approve permissions or even wipe the entire device without ever realizing it.

TapTrap represents a significant new form of UI-based attack that exploits Android's animation system to stealthily bypass security measures and poses serious risks to affected devices.

A new type of deception

Unlike traditional tapjacking attacks, which rely on overlaying malicious windows or UI elements over legitimate apps, TapTrap takes a different approach by exploiting animations in Android's activity transition system. Instead of overlays, TapTrap hides critical system prompts during screen transitions by using a transparent activity, making the prompts nearly invisible to the user.

This technique creates a visual mismatch, where the user believes they are interacting with a harmless app interface, but are actually engaging with a hidden permission request. The trick is incredibly subtle. For example, users might think they are playing a simple game, but behind the scenes they are unknowingly giving the app access to their camera, location or notifications.

How it works

The attack uses Android’s built-in animation system to make sensitive screens nearly invisible. A malicious app can display a permission request in a way that fades it into the background almost completely. Although the screen is still active and responds to touch, the user cannot see it.

In some cases, the app might even enlarge the invisible area to match the full screen, making it more likely that the user taps in the wrong place. During testing, researchers found that an error in the animation system allowed the invisible screen to stay active for up to six seconds. This gave attackers a wider window to carry out the trick.

TapTrap is part of a larger trend where attackers exploit built-in features of Android. Similar techniques have been seen in threats like SuperCard‑X malware, a malware strain that silently abuses NFC relay technology to steal funds from bank accounts.

A widespread problem

To understand how common the issue is, researchers uncovered the vulnerability when studying nearly 100,000 apps from the Google Play Store. About 76 percent of them were found to be vulnerable to this type of attack. That means a large number of apps can be used as part of a TapTrap exploit, either directly or by launching a transparent activity that exploits Android's activity transition animations to execute tapjacking attacks.

The problem does not stop at Android system settings. TapTrap can also be used inside mobile browsers to bypass permission requests on websites. Tests showed that most major browsers were vulnerable, allowing attackers to display a sensitive system screen, such as a permission dialog, through invisible prompts and enable things like location access or camera use without the user's knowledge.

Malicious apps on Google Play

The threat of malicious apps on Google Play is heightened by the discovery of the TapTrap attack, which could be exploited if abused by apps currently available on the platform. Security researchers have found that attackers can trick users into granting access to sensitive data or performing risky actions by exploiting a widespread vulnerability in how Android handles animations. By using custom animations and an invisible UI trick, malicious apps can bypass permissions and launch destructive actions without the user’s knowledge.

What makes this novel tapjacking technique especially dangerous is its ability to evade traditional defenses. Malicious apps can exploit the “same task” feature on Android devices to launch sensitive system screens – like permission dialogs or settings – while remaining nearly invisible to the user. This allows attackers to carry out fraudulent transactions or gain access to sensitive data, all while the user believes they are interacting with a harmless app.

An escalating risk across the Android ecosystem

The scale of the problem is significant: security researchers analyzed nearly 100,000 apps on Google Play and found that about 76% are vulnerable to TapTrap attacks. This widespread vulnerability means that a large number of apps could be used to trick users, either directly or by being manipulated by another malicious app. Even Android 16, which we previously covered for introducing new features, remains vulnerable to TapTrap. The attack highlights gaps in Android’s defenses, including accessibility settings and Google Play’s security policies, which may not be sufficient to detect or block such novel methods.

Users attempt to protect themselves by adjusting developer options or disabling system animations, but these steps may not be enough to stop TapTrap attacks. While there have been no reports of active exploitation in the wild so far, researchers have demonstrated how easily attackers could use this technique to launch destructive actions or steal sensitive data. Browser vendors like Chrome have started to implement mitigations, but the vulnerability remains a concern for anyone using an Android device.

TapTrap joins a growing list of Android-based threats. Malware such as GodFather malware has also demonstrated the ability to manipulate app behavior, appearing harmless while stealing login credentials and accessing financial data.

Detecting malicious apps that use TapTrap is an ongoing challenge. Security researchers are developing new tools to identify and prevent these attacks, but the fast-changing nature of cyber space means that users must remain vigilant. To reduce the risk of falling victim to TapTrap attacks and other cyber security incidents, users should stay informed about the latest Android vulnerabilities, be cautious when installing new apps, and follow updates from trusted sources like Google News and security editors. By taking proactive steps and keeping up with more instant updates, users can better protect their devices and sensitive data from the evolving threats posed by malicious apps on Google Play.

Users don’t notice anything

In a user study, 20 participants interacted with apps that had TapTrap running in the background. None of them were able to detect the covert TapTrap attack or realized they were granting access to sensitive data. Even after being told that an attack might happen, only a few noticed any signs, such as the small camera or microphone icons that appear briefly on the screen.

This shows how powerful and invisible TapTrap is. It does not rely on any special permissions and cannot be stopped by most of the protections Android currently offers.

What Google says

Google has confirmed that the issue exists and plans to fix it in a future Android update. The TapTrap vulnerability affects the latest release of Android, including Android 15 and Android 16. Privacy-focused operating systems like GrapheneOS have already added a fix to block these types of attacks.

A Google spokesperson said that Android is always working to improve protection against tapjacking and that developers must follow strict guidelines. Apps that break the rules will be removed from the Play Store.

How to protect yourself

Until a fix is rolled out across all Android versions, there are steps users and developers can take to reduce the risk.

For users:

  • Go to your phone’s developer or accessibility settings and disable system animations

  • Be cautious when installing apps, especially games from unknown developers

  • Watch for unusual behavior, like apps suddenly asking for permissions you didn’t expect

For developers:

  • Make sure permission requests are clearly visible and cannot be hidden by animations

  • Delay interaction until any screen transitions are complete

  • Check for signs that a screen might be partially hidden or misused by another app

When trusted features become attack vectors

TapTrap reveals a deeper issue in Android’s design. A feature meant to create smooth and pleasing animations has become a tool for attackers, especially during sensitive activities such as camera access or other private operations. Because the attack uses normal system functions, it can slip past many of the security barriers that have been put in place over the years.

This discovery is a reminder that even trusted features can become dangerous if not carefully controlled. As a sophisticated threat, TapTrap highlights the urgent need for stronger, system-level protections to safeguard sensitive activities, especially as billions of users rely on Android devices every day.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

What is a brute force attack?
hacking

What is a brute force attack?

Read on to learn about a simple but widely used form of hacking that consists of guessing a combination of login information.

10-08-2022 · 11 min.
Deep dive into the new Eldorado RaaS
cybercrime

Deep dive into the new Eldorado RaaS

A new RaaS called Eldorado attacks Windows and Linux systems, encrypting data and causing severe disruptions. Let's take a deep dive into its operation.

12-09-2024 · 14 min.
A look at hardware security tokens
cybercrime

A look at hardware security tokens

What are hardware security tokens, and how do they improve your security? Here, we take a closer look at what hardware security tokens do.

16-04-2024 · 11 min.