New Android TapTrap Attack Fools Users With Invisible UI Trick
An Anonymous Coward writes:
A novel tap-jacking technique can exploit user interface animations to bypass Android's permission system and allow access to sensitive data or trick users into performing destructive actions, such as wiping the device.
Unlike traditional, overlay-based tap-jacking, TapTrap attacks work even with zero-permission apps to launch a harmless transparent activity on top of a malicious one, a behavior that remains unmitigated in Android 15 and 16.
TapTrap was developed by a team of security researchers at TU Wien and the University of Bayreuth (Philipp Beer, Marco Squarcina, Sebastian Roth, Martina Lindorfer), and will be presented next month at the USENIX Security Symposium.
However, the team has already published a technical paper that outlines the attack and a website that summarizes most of the details.
How TapTrap worksTapTrap abuses the way Android handles activity transitions with custom animations to create a visual mismatch between what the user sees and what the device actually registers.
A malicious app installed on the target device launches a sensitive system screen (permission prompt, system setting, etc.) from another app using 'startActivity()' with a custom low-opacity animation.
"The key to TapTrap is using an animation that renders the target activity nearly invisible," the researchers say on a website that explains the attack.
"This can be achieved by defining a custom animation with both the starting and ending opacity (alpha) set to a low value, such as 0.01," thus making the malicious or risky activity almost completely transparent.
"Optionally, a scale animation can be applied to zoom into a specific UI element (e.g., a permission button), making it occupy the full screen and increasing the chance the user will tap it."
Although the launched prompt receives all touch events, all the user sees is the underlying app that displays its own UI elements, as on top of it is the transparent screen the user actually engages with.
Thinking they interact with the benign app, a user may tap on specific screen positions that correspond to risky actions, such as an "Allow" or "Authorize" buttons on nearly invisible prompts.
Read more of this story at SoylentNews.