This repository contains the artifacts of the paper "TapTrap: Animation-Driven Tapjacking on Android", to be presented at USENIX 2025.
Users interact with mobile devices under the assumption that the graphical user interface (GUI) accurately reflects their actions, a trust fundamental to the user experience. In this work, we present TapTrap, a novel attack that enables zeropermission apps to exploit UI animations to undermine this trust relationship. TapTrap can be used by a malicious app to stealthily bypass Android’s permission system and gain access to sensitive data or execute destructive actions, such as wiping the device without user approval. Its impact extends beyond the Android ecosystem, enabling tapjacking and Web clickjacking. TapTrap is able to bypass existing tapjacking defenses, as those are targeted toward overlays. Our novel approach, instead, abuses activity transition animations and is effective even on Android 15. We analyzed 99,705 apps from the Play Store to assess whether TapTrap is actively exploited in the wild. Our analysis found no evidence of such exploitation. Additionally, we conducted a large-scale study on these apps and discovered that 76.3% of apps are vulnerable to TapTrap. Finally, we evaluated the real-world feasibility of TapTrap through a user study with 20 participants, showing that all of them failed to notice at least one attack variant. Our findings have resulted in two assigned CVEs.
The repository is organized as follows:
dataset_preparation– Scraping and downloading apps, APK mergingvulnerable_app_detection– Static detection of vulnerable appsmalicious_app_detection– Static detection of malicious appsuser_study– Materials and code for the user studypoc– Proof-of-concept TapTrap implementationreproducibility– Scripts for reproducing the paper resultspaper_licenses– Licenses for third-party resources used in the paperassets– Logo and demonstration videos
To run a specific analysis pipeline, navigate to the corresponding folder (e.g., vulnerable_app_detection) and follow the steps in its README.md.
Note
We support Ubuntu 24.04 (x86) and macOS 15 (ARM and x86). While other Unix-based operating systems are expected to work out-of-the box, we do not guarantee it and adjustments may be necessary.
To reproduce the experiments and results reported in the paper, please refer to reproducibility/README.md and follow the instructions provided in the Artifact Appendix.
This video demonstrates TapTrap. In the example, the user plays a game that secretly opens the browser and tricks them into granting camera permissions to a malicious website. The hidden screen is semi-transparent for demonstration purposes.
Note
Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted app.
Note
Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability affects Firefox < 136.
To cite our work, please use the following BibTeX entry:
@inproceedings{taptrap_beer,
author = {Philipp Beer and Marco Squarcina and Sebastian Roth and Martina Lindorfer},
title = {{TapTrap: Animation-Driven Tapjacking on Android}},
booktitle = {34th USENIX Security Symposium (USENIX Security 25)},
year = {2025},
address = {Seattle, WA},
publisher = {USENIX Association},
month = aug
}- Philipp Beer - philipp.beer@tuwien.ac.at
- Marco Squarcina - marco.squarcina@tuwien.ac.at
- Sebastian Roth - sebastian.roth@uni-bayreuth.de
- Martina Lindorfer - martina@seclab.wien
You can find more information on our website https://taptrap.click.
This repository is released under the MIT License. See LICENSE for details.
This project includes third-party software:
APKEditorby REAndroid is licensed under the Apache License, Version 2.0.rs-google-playby the EFF is licensed under the MIT license.apkeepby the EFF is licensed under the MIT license.
The paper includes icons released, among others, under the GPL and MIT licenses.