A new Android TapTrap exploit uses an undetectable user interface gimmick to trick users.

The most recent Android handsets are susceptible to a novel technique known as "tapjacking," which allows hackers to conceal security alerts with screen animations and deceive users into allowing risky permissions and unauthorized access.

Without consumers realizing, a rogue Android app can increase its permissions from 0 to full.

Users will actually be clicking secret Android system prompt buttons, giving hackers access to their location, camera, alerts, and private user information, even though they may believe they are playing a game where they are squelching fictional bugs.

The new technology, called TapTrap, fools users into touching buttons that go invisible during screen transitions, in contrast to earlier tapjacking methods that used invisible overlays on top of legal apps.

Malicious apps can use Android's user interface animations to get around the permission system and even delete the entire device without the user's knowledge or consent, according to security experts from the University of Bayreuth and the University of Technology in Vienna (TU Wien).

In a report, the researchers caution that "its impact goes outside the Android environment, enabling tapjacking and Web clickjacking."

How does the attack work?

The activity transition animations on Android are abused by this method. For instance, a victim may install a game that doesn't seem to need permissions. Behind the scenes, though, the malicious program may request risky permissions while replacing the user interface animations with a modified one, making the prompt momentarily invisible.

During this brief period, the application deceives the user into unintentionally approving the request by pressing the screen in the same location as an invisible "allow" button.

Animations are enabled by default on all Android devices.

The researchers used a video clip to illustrate an attack.

This method can be misused to attack websites, web browsers, programs, and runtime rights. It has the ability to wipe the entire device and alter settings. Even if the user removes the malicious application, web-based permissions will remain in place.

Twenty participants took part in the test, but none of them could see the attack happening. They all gave GPS, camera, and device admin access to malicious apps.

Additionally, researchers found that three-quarters of the approximately 100,000 apps on the Play Store are susceptible to TapTrap attacks.

This implies that a malicious software may start the app that is susceptible, alter the animations to make buttons or important actions invisible, and fool people into doing things they don't want to.

The researchers also found an off-by-one flaw in Android's animation system that doubles the TapTrap attack window by enabling animations to run for up to six seconds rather than the recommended three.

Although there haven't been any recorded efforts to use this method in the wild, the now-open Pandora's box might easily entice fresh attackers.

Such an attack can impact any Android user who hasn't turned off system animation.

Researchers caution that "Android 16 remains vulnerable to TapTrap." They also used Android 15 to test the method.

The researchers advise turning off system animations in the device's accessibility settings until Android resolves the problem. In addition to stopping the attack, this turns off the device's animations.