TapTrap Android Exploit Allows Malicious Apps to Bypass Permissions

A new Android vulnerability called TapTrap that allows malicious apps to bypass the operating system’s permission system without requiring any special permissions themselves.

The attack exploits activity transition animations—a core feature of Android’s user interface—to trick users into unknowingly granting sensitive permissions or performing destructive actions.

Unlike traditional tapjacking attacks that rely on malicious overlays, TapTrap uses a fundamentally different approach by manipulating the animations that occur when switching between app activities.

The attack creates a mismatch between what users see on their screen and the app’s actual state, making it virtually undetectable during normal use.

The TapTrap attack is particularly concerning because it requires no permissions to execute, making malicious apps appear completely harmless to users.

Researchers from TU Wien analyzed 99,705 apps from the Google Play Store and found that 76.3% of them are vulnerable ...