The latest Android devices are vulnerable to a new method of “tapjacking,” which enables hackers to use screen animations to make security prompts invisible and trick users into granting dangerous permissions and unauthorized access.
A malicious Android app can escalate from zero permissions to full access without users noticing anything.
They may think they’re playing a game where they squash virtual bugs, but in reality, users will be pressing hidden Android system prompt buttons, granting hackers access to their location, camera, notifications, or sensitive user data.
Unlike previous tapjacking techniques, which used invisible overlays on top of legitimate apps, the new technique, dubbed TapTrap, tricks users into tapping buttons that become invisible during screen transitions.
Security researchers from the University of Technology in Vienna (TU Wien) and the University of Bayreuth have demonstrated that malicious apps can abuse Android’s UI animations to bypass the permission system and even wipe the whole device without the user noticing or approving.
“Its impact extends beyond the Android ecosystem, enabling tapjacking and Web clickjacking,” the researchers warn in a paper.
How does the attack work?
This technique abuses Android’s activity transition animations. For example, a victim might install a seemingly harmless game that doesn’t require any permissions. However, behind the scenes, the malicious app can ask for dangerous permissions but override UI animations with a custom one so that the prompt is temporarily invisible.
During this brief time, the app tricks the user into tapping the screen in the same place where an invisible “allow” button is, unknowingly approving the request.
All Android devices have animations enabled by default.
The researchers demonstrated an attack in a video clip.
TapTrap: It is attack on Android where a dedicated app uses animation to lure you into tapping on the screen and performing unwanted actions without your consent #Tapjacking
undefined Mobile Hacker (@androidmalware2) July 9, 2025
In video TapTrap enables camera access for a website via Chrome browserhttps://t.co/kh19Xssywz pic.twitter.com/aVlA9ETwTQ
This technique can be abused to circumvent runtime permissions, attack apps, web browsers, and websites. It can change settings and even wipe the entire device. Web-based permissions will persist even when the user uninstalls the malicious app.
None of the twenty people who participated in the test were able to notice the attack in progress. They all granted malicious app permissions to location, camera, and device admin.
Researchers also analyzed nearly 100,000 apps on the Play Store and determined that three-quarters are vulnerable to TapTrap exploits.
That means that a malicious app could launch the vulnerable app, change the animations so that sensitive actions or buttons become invisible, and trick users into performing unwanted actions.
“We also discovered an off-by-one bug in Android’s animation system, allowing animations to run up to six seconds instead of the intended three, effectively doubling the TapTrap attack window,” the researchers said.
While no documented attempts to exploit this technique in the wild have been made, the now-open Pandora's box may quickly lure new attackers.
All Android users who haven’t disabled system animation can be affected by such an attack.
“Android 16 remains vulnerable to TapTrap,” researchers warn. They also tested the technique on Android 15.
Until Android fixes the issue, the researchers recommend disabling system animations in the device’s accessibility settings. This prevents the attack, but also disables animations on the device.
Your email address will not be published. Required fields are markedmarked