A new Android security exploit called TapTrap has been discovered, which uses nearly invisible system overlays to trick users into granting dangerous permissions. By leveraging UI animations, attackers can capture taps on sensitive elements like permission buttons, making the attack difficult to detect. Researchers found that 76% of Play Store apps could be vulnerable due to common design flaws.
The exploit works by launching transparent system prompts over regular app interfaces, creating a near-invisible layer that silently captures user interactions. This technique, which differs from earlier tapjacking attacks, takes advantage of how Android handles activity transitions between apps. A malicious app can launch a system-level screen using the standard start Activity function but modify how the screen appears using a custom animation. By setting both the start and end opacity to a very low value, such as 0.01, the activity becomes nearly invisible to the user. Touch input is still fully registered by the transparent screen, even though users only see the visible app underneath. Attackers can also apply a scaling animation that enlarges a specific user interface element, such as a permission button, so that it fills the screen. This increases the chance that a user will unknowingly tap the button.
To assess how widespread the vulnerability might be, the researchers tested nearly 100,000 apps from the Play Store. About 76% were found to be potentially vulnerable, not because they are malicious, but because they lack key safeguards. These apps had at least one screen that could be launched by another app, shared the same task stack, failed to override the default transition animation, and did not block user input during the transition. Android enables these animations by default. Users can only disable them through settings that are typically hidden, such as Developer Options or Accessibility menus. Even the latest Android version, tested on a Google Pixel 8a, remains unprotected against this exploit.
GrapheneOS, a security-focused operating system based on Android, confirmed that its current version is also affected. However, it plans to release a fix in its next update. Google has acknowledged the issue and said a future Android update will contain a mitigation. While no exact timeline has been announced, Google is expected to change how input and animations are handled to prevent invisible tap interception. The company added that developers must follow strict Play Store policies and that any app found abusing this vulnerability will face enforcement actions.
Researchers released a video showing how this technique could be used in a gaming app to quietly launch a Chrome browser permission prompt. The prompt asks for camera access, and the user taps ‘Allow’ without realizing what they have done. Because the malicious screen is transparent, there are no visual cues to suggest anything suspicious is happening. This highlights a broader issue in mobile security: the growing complexity of interfaces and the risks posed by seemingly harmless animations. The attack underscores the importance of user awareness and the need for more robust security measures in mobile operating systems.
Experts warn that this exploit demonstrates how security threats can arise not just from complex code or aggressive malware, but from small oversights in visual behavior. The danger lies in what users do not see—people trust what they can see on their screens, and this attack breaks that link by creating a visual mismatch between intent and outcome. As a result, users are advised to be cautious when granting permissions, especially to apps that request access to sensitive features like the camera or microphone. Additionally, it is recommended to stick to the Google Play Store and avoid installing apps from third-party sources to minimize the risk of encountering such vulnerabilities.