A recently discovered Android technique called TapTrap can quietly intercept user taps without needing any special permissions. The method uses transparent screen transitions to mislead users, causing them to trigger hidden actions without realizing it. Devices running Android 15 and 16 remain exposed to this problem.
This is done through a transition that fades the real activity almost entirely. Developers can make the hidden screen so transparent that users can’t tell it's even there. Sometimes, the tap area is stretched to fill the screen, which increases the chances of catching a tap on a critical button.
The result is that a tap on what looks like a harmless app might end up approving something risky in the background, like giving access to the camera or changing settings.
The problem isn’t just theoretical. The researchers got the attack running on a Google Pixel 8a using Android 16. Since animations are turned on by default, most devices are at risk unless users go out of their way to turn them off in system settings.
A video shared by the researchers shows how a basic game can trigger hidden prompts, which appear to grant camera access through the Chrome browser. The whole process is silent, and the user never sees what really happened.
Meanwhile, GrapheneOS, a security-focused Android variant, has verified that TapTrap works on Android 16. Its next version will include a fix to block the exploit.
The research will be presented publicly next month at a major security conference. The attack’s technical details are already available through a demonstration website run by the researchers.
Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.
Read next: You Might Be Spied On, These Chrome Extensions Collected Your Data Without Warning
How It Works
TapTrap doesn't rely on overlays or pop-ups. Instead, it plays a trick using built-in animation features. A malicious app loads a nearly transparent screen right on top of another app. To the user, it looks like they’re interacting with one app, but their tap is actually being registered by another screen hidden above it.This is done through a transition that fades the real activity almost entirely. Developers can make the hidden screen so transparent that users can’t tell it's even there. Sometimes, the tap area is stretched to fill the screen, which increases the chances of catching a tap on a critical button.
The result is that a tap on what looks like a harmless app might end up approving something risky in the background, like giving access to the camera or changing settings.
Scope of the Problem
A research team tested about 100,000 Android apps to see how many were open to this trick. Around 76 percent of them had at least one screen that could be used with TapTrap. These vulnerable screens are easy targets if they respond to other apps, don’t wait for animations to finish, or use default transition settings.The problem isn’t just theoretical. The researchers got the attack running on a Google Pixel 8a using Android 16. Since animations are turned on by default, most devices are at risk unless users go out of their way to turn them off in system settings.
A video shared by the researchers shows how a basic game can trigger hidden prompts, which appear to grant camera access through the Chrome browser. The whole process is silent, and the user never sees what really happened.
Industry Response
Google (as per BleepingComputer) confirmed that the issue exists and said a fix will arrive in a future software update. For now, it advises developers to follow platform rules and encourages users to be cautious. The company hasn’t given a specific timeline for the patch.Meanwhile, GrapheneOS, a security-focused Android variant, has verified that TapTrap works on Android 16. Its next version will include a fix to block the exploit.
What Users Can Do
Until an official fix rolls out, users who want to stay safe can disable animations in developer options or accessibility settings. This reduces the chance of being caught by the visual misdirection TapTrap uses. While it may make the phone feel less fluid, it adds a layer of protection.The research will be presented publicly next month at a major security conference. The attack’s technical details are already available through a demonstration website run by the researchers.
Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.
Read next: You Might Be Spied On, These Chrome Extensions Collected Your Data Without Warning