What you see on your smartphone screen isn’t always what you’re actually interacting with—and that’s a serious security concern. Philipp Beer, Martina Lindorfer, Marco Squarcina (all TU Wien Informatics), and Sebastian Roth (University of Bayreuth) have uncovered a novel attack technique targeting Android devices. The attack allows a seemingly benign app, without special permissions, to misuse Android’s screen animation system to trick users into performing sensitive actions without their consent. These actions can include granting camera permissions or even wiping the device, all without significant indication to the user.

Several apps can be active on a smartphone at the same time. Normally, one of them is visible in the foreground, and the user interacts with it when they tap the screen. “However, apps can also launch other apps and use animations such as slow fade-ins or slide-ins,” explains Philipp Beer from the Research Group Security and Privacy. “This is exactly what can be exploited.” A fraudulent app can launch another app without being noticed, but display it transparently. It is now in the foreground and can be controlled with a finger tap – but it remains invisible. “We tried this out by creating a simple game where you collect points by tapping little bugs on the screen,” says Philipp Beer. “But the game then opens another app, such as a browser. We can now place our bugs from the game wherever we want so that the exact position on the screen is tapped. You feel like you’re still playing the bug game, but you’re now operating the newly launched app that you can’t even see.”

The research team had twenty test subjects try out the bug game, and they were indeed able to obtain various permissions unnoticed in this way, such as access to the smartphone’s camera. “Theoretically, you could also use this method to launch a banking app or delete all the data on your mobile phone “, says Beer. Fortunately, the researchers haven’t found evidence of the vulnerability being exploited in the wild: “We examined around 100,000 apps from the Play Store and didn’t find any that exploit this vulnerability,” says Philipp Beer. “We therefore hope that the vulnerability has not yet done any real damage – but the problem needs to be fixed.” Fortunately, the researchers haven’t found evidence of the vulnerability being exploited in the wild. Firefox and Google Chrome, which the research team has contacted, have already closed the loophole, as has GrapheneOS, an Android-based operating system designed specifically to maximize security. “As a general rule, you should never install apps that don’t appear to come from a trustworthy source,” says Philipp Beer. “When the camera or microphone is accessed, icons in the status bar often indicate this, so you should pay attention to these.” If you want to be on the safe side, you can turn off app animations altogether (in the settings under ‘Accessibility,’ ‘Colour and motion’).

The research that the team conducted is part of a broader effort to understand security risks in the mobile–Web ecosystem, the project Fixing the Broken Bridge Between Mobile Apps and the Web. The project, led by Martina Lindorfer and Marco Squarcina, (both TU Wien Informatics), is funded by the Vienna Science and Technology fund (WWTF) and is set to run until 2027. The vulnerability will also be presented at the USENIX Security Symposium 2025, one of the leading conferences in computer security.

Curious about TapTrap?

The research team that discovered the vulnerability provides all of its insights and more information about TapTrap here. To read the full paper, click here (it’s not a trap, promise).

Curious about our other news? Subscribe to our news feed, calendar, or newsletter, or follow us on social media.