What is TapTrap in simple words?
It’s an attack on Android where a malicious app uses an animation to lure you into tapping on the screen and performing unwanted actions without your consent.
Overview
TapTrap is a new type of attack targeting Android devices. It allows an app without any permissions to misuse screen animations. This app can secretly open another screen, such as a permission prompt, and make it invisible. The attack can then be used to trick you into performing sensitive actions, such as granting camera permissions or even erasing your device, without your consent.
The idea is simple: imagine you’re using an app. While you use it, it opens another screen, such as a system prompt or simply another app. Normally, Android shows an animation when the screen changes, such as the new screen sliding or fading in. However, the app can tell the system that a custom animation should be used instead that is long-running and makes the new screen fully transparent, keeping it hidden from you. Any taps you make during this animation go to the hidden screen, not the visible app. The app can then use this to lure you into tapping on specific areas of the screen that correspond to sensitive actions on the hidden screen, allowing it to perform actions without your knowledge.
The video below shows TapTrap in action. In the example, the user plays a game that secretly opens the browser and tricks them into granting camera permissions to a malicious website. The hidden screen is semi-transparent for demonstration purposes.
TapTrap works even on the latest Android version, Android 16. We reported this issue to Google and major browser vendors in 2024. Browsers have fixed the issue as of July 2025, but Android itself remains vulnerable (see the disclosure timeline for details).
Impact
Unauthorized access to your camera, location, or notifications
Android usually asks for permission before apps can access sensitive resources like your camera or location. TapTrap circumvents this by tricking you into approving these prompts, thereby granting access to your camera, microphone, location, notifications, and more.
Unauthorized erasure of your phone
TapTrap can trick you into enabling the "Device Administrator" permission, which allows an app to remotely wipe your entire device.
Attacks on apps
Even apps you’ve installed yourself can be targeted. TapTrap can open these apps and trigger sensitive actions in them on your behalf. In our analysis of nearly 100,000 Play Store apps, 76% are vulnerable to TapTrap.
Attacks on websites
TapTrap extends beyond apps to websites. It can hijack taps on websites to trigger actions, such as liking posts, or granting location or camera permissions to a site.
Hard to detect
In a user study among 20 people, we evaluated how easy it is to spot TapTrap. None of the participants noticed at least one variant of the attack. Do you want to see what the participants saw? Watch the video of our user study app.
Affects the newest Android version
As of June 2025, even the latest Android version is affected by TapTrap. Major browsers like Chrome, Edge, Brave, and Firefox have issued fixes, but Android itself has not yet addressed the core issue.
Technical Deep-Dive
Threat Model
We assume that a malicious app is installed on the user’s device, for example, via an app market. The app
does not require any permissions, making it appear harmless and unintrusive to the user. Notably, we do
not assume the SYSTEM_ALERT_WINDOW
permission, which prior work often relied on. However, we
assume that animations are enabled on the device. By default, animations are enabled unless explicitly
disabled through developer options or accessibility settings.
Attack Mechanism
A TapTrap attack consists of the following steps:
1. Launch a Target Activity
The attack begins when a malicious app launches a new activity using startActivity() or a
related method. This new activity (let’s call it Activity B) can be part of another app or a system
component (e.g., a permission dialog). The malicious app (with Activity A) specifies a custom animation
using overridePendingTransition() or ActivityOptions.makeCustomAnimation() that
controls how this transition appears to the user.
Note that custom transitions can only be applied to activity transition that happen within the same task.
If the target activity is in a different task, Android will use a system-defined slide animation instead
and TapTrap will not work.
2. Crafting the Animation
The key to TapTrap is using an animation that renders the target activity nearly invisible. This can be achieved by defining a custom animation with both the starting and ending opacity (alpha) set to a low value, such as 0.01. Optionally, a scale animation can be applied to zoom into a specific UI element (e.g., a permission button), making it occupy the full screen and increasing the chance the user will tap it.
3. Tricking the User
While Activity A remains visible, Android places Activity B on top of the activity stack. Despite being transparent, Activity B receives all touch events, not Activity A. The malicious app places decoy UI elements (like a “Next” button) that align precisely with real interactive elements (like an “Allow” or “Activate” button) in Activity B. When the user taps what they think is a harmless button, they are actually interacting with the sensitive UI of Activity B.
4. Re-launching the Malicious Activity
Before the animation completes and Activity B becomes fully visible, the malicious app quickly relaunches itself (Activity A) to regain visibility and push B to the background. This prevents the user from seeing that anything abnormal occurred.
App Vulnerability
We analyzed 99,705 Android apps from the Play Store to understand how many are vulnerable to TapTrap. For
an app to be vulnerable, it must include a screen (called an "activity") that:
- can be launched by another app,
- runs in the same task as the calling app,
- does not override the transition animation, and
- does not wait for the animation to finish before reacting to user input.
Our analysis found that 76.3% of all apps met these conditions and are therefore vulnerable to TapTrap. These findings show that TapTrap is not just a theoretical attack, but is a threat to the whole Android ecosytem.
We provide the analysis pipeline and its results in our GitHub repository.
TapTrap in the Wild
We developed an automated analysis pipeline to investigate whether TapTrap is actively exploited in
Android apps. Using a dataset of 99,705 Play Store apps, we extracted all animations that an app can use
for
TapTrap from these apps and then ran the animations in a controlled environment via Robolectric, which
allowed us
to analyze their behavior over time. We assigned each animation an opacity and a scale score ranging from
0 to 100
to identify those with characteristics exploitable by TapTrap, where 0 means it's unlikely that it can be
exploited for TapTrap and 100 means it is very likely to be exploitable.
The following figure illustrates the analysis pipeline:
Our analysis revealed 28 apps with a score of at least 50, but manual inspection confirmed none of them
used
these animations maliciously. We also discovered an off-by-one bug in Android’s animation system, allowing
animations to run up to 6 seconds instead of the intended 3, effectively doubling the TapTrap attack
window.
We provide the analysis pipeline and its results in our GitHub repository.
User Awareness
We conducted a user study with 20 participants to evaluate whether users can detect TapTrap during typical
app interactions. Participants played KillTheBugs, a game we developed that embedded three TapTrap attack
scenarios, each targeting a different permission: location, camera, and device admin. They played the game
twice, once without any prior knowledge of the attack, and again after informing participants that an
attack might occur.
After the first game session, two participants noticed minor glitches, such as a quick flash on the
screen, and one mentioned needing to tap twice on a bug.
Four participants noticed a camera icon appearing during camera access.
In the second round, after being informed about a possible attack, 14 participants noticed the camera
indicator. However, the location-based attack remained undetected by all participants, and only three
noticed anomalies after silently granting device admin permissions.
These results show that without visible security indicators, users are unlikely to detect TapTrap. Even
when indicators are present, they are often missed: in the camera-based attack, only four participants
noticed the camera icon. While detection improved in the second round for the camera-based attack, attacks
that don’t trigger any visible indicator went largely unnoticed.
The following video shows the full user study app that participants played.
We provide all materials used in the user study, such as the questionnaires and the information sheet in
our GitHub
repository.
Frequently Asked Questions
Am I affected?
If you use an Android phone and haven’t disabled system animations, then yes, you’re likely affected. iPhone users are not affected.
What can a malicious app do with this?
It can silently get permission to use your camera, microphone or location, read your notifications, and even erase your phone. It can also attack other apps you have installed and websites in the browser.
Would I notice if it happened to me?
Probably not. In a lab test, all 20 participants missed at least one attack, even after being told that there may be an attack happening. Do you want to see what the participants saw? Watch the video of our user study app.
Is any real malware using this right now?
We analyzed nearly 100,000 Play Store apps and found no signs of TapTrap being used in the wild.
What can I do to protect myself?
Until Android fixes the underlying issue, you can disable system animations in your device’s accessibility settings. This prevents the attack but also disables animations on your device.
How is TapTrap different from older tapjacking or overlay attacks?
It is based on transition animations instead of overlays, so it doesn’t need special permissions and isn’t blocked by Android’s overlay protections.
Is Android aware of the issue?
We have responsibly disclosed TapTrap to the Android Security Team and major browser vendors on October 31, 2024 and another issue that extends TapTrap's attack window on November 27, 2024. While browser vendors have since fixed the issue, Android has not yet addressed it. We note that we were recently made aware that the underlying issue was also independently and confidentially reported by @MG193_7 (ByteDance IES RedTeam) to the Android Security Team in early 2023, and the report has not been publicly disclosed.
Paper & Artifacts
Artifacts & Code
We provide proof-of-concepts, our analyses pipelines, and the results thereof for future work to build upon.
GitHub repository Archived artifactsBibTeX
Please use the following BibTeX entry to cite our work:
@inproceedings{taptrap_beer,
author = {Philipp Beer and Marco Squarcina and Sebastian Roth and Martina Lindorfer},
title = {{TapTrap: Animation-Driven Tapjacking on Android}},
booktitle = {34th USENIX Security Symposium (USENIX Security 25)},
year = {2025},
address = {Seattle, WA},
publisher = {USENIX Association},
month = aug
}
Timeline and News
July 8, 2025
Android 16 remains vulnerable to TapTrap Not fixed
July 7, 2025
GrapheneOS patches TapTrap (Release Notes)
GrapheneOS is a private and secure mobile operating system with Android app compatibility
Mar 5, 2025
Chrome 135 patches TapTrap (CVE-2025-3067)
Mar 4, 2025
Firefox 136 patches TapTrap (CVE-2025-1939)
Nov 27, 2024
We responsibly disclosed the extended animation-duration issue to the Android Security Team
Oct 31, 2024
We responsibly disclosed TapTrap to the Android Security team and major browser vendors
Research Team
We are a group of researchers of the Security and Privacy Group at TU Wien and the University of Bayreuth, focusing on mobile and Web security. Our work on TapTrap is part of a broader effort to understand security risks in the mobile–Web ecosystem, funded by the WWTF.
