Android Vulnerability Allows Hackers to Steal Permissions via “Tapjacking”

Image by Unsplash

This post is also available in: עברית (Hebrew)

A new vulnerability in Android devices, dubbed “TapTrap,” is putting users at risk by enabling hackers to bypass security prompts and gain unauthorized access to sensitive data. The attack works by exploiting Android’s default screen animations, making certain security prompts invisible and tricking users into unknowingly granting dangerous permissions, such as access to location, camera, and notifications.

According to the researchers, the way this new tapjacking method works is sophisticated. When a user installs a seemingly harmless app, it may appear to function normally, requiring no permissions. However, in the background, the malicious app can request sensitive permissions. By manipulating the animation between screens, the prompt for these permissions becomes momentarily invisible, allowing the app to trick the user into tapping on the “allow” button without realizing it.

Security researchers from the University of Technology in Vienna and the University of Bayreuth demonstrated in a paper how this technique can lead to the full compromise of a device. By silently granting permissions to malicious apps, attackers can access sensitive data, alter system settings, or even wipe the device, all without the user’s awareness or approval. This attack is not only limited to mobile apps but can also extend to web applications and websites.

In their research, the team found that the vulnerability affects most Android devices, with nearly 75% of apps on the Google Play Store being susceptible to the TapTrap exploit. The researchers also identified a bug in Android’s animation system that extends the vulnerability’s window, allowing the invisible prompt to remain active for up to six seconds instead of the intended three, increasing the chances of successful exploitation.

While no widespread attacks using TapTrap have been reported, the discovery opens up new opportunities for cybercriminals to exploit this flaw. Android users are advised to disable system animations through the device’s accessibility settings as a temporary measure to protect against the attack, though this will also disable other animations on the device.

Researchers have warned that Android 16 is still vulnerable to TapTrap, and recommended that Google address the issue in upcoming updates. Until then, users should be cautious and ensure their system animations are disabled to prevent exploitation.