Marco SquarcinaOur new Android attack, #TapTrap, is getting media coverage. Here's a quick explainer.
It's a new tapjacking technique that exploits Android's UI animations to hijack user taps without requiring any permissions. @beerphilipp will present it at #USENIX Sec'25.
Unlike classic tapjacking, TapTrap uses Android's built-in activity transition animations to launch a transparent activity on top of the attacker's app. The user thinks they're tapping a harmless button, but the tap goes to a permission/system prompt, a browser, or a sensitive app without notice.
It works on Android 15 & 16, while @GrapheneOS has recently issued a fix. Major browsers such as Chrome and Firefox promptly patched after we disclosed the vulnerability. We also analyzed ~100K Play Store apps finding that TapTrap is currently not being exploited in the wild.
This effort is the result of a collaboration with @beerphilipp, Sebastian Roth and @lindorferin. Kudos to Philipp for discovering the issue and doing the heavy lifting. And thanks Vienna Science and Technology Fund (WWTF) for making this research possible and supporting us ā„ļø
See you at #USENIX in Seattle next month!