TapTrap is a new attack on Android that lures you into performing actions you did not intend to do. This allows an app to silently access your camera or location, or even erase your entire device — all without your consent.
The idea is simple: imagine you’re using an app. While you use it, it opens another screen, such as a system prompt or simply another app. Normally, Android shows an animation when the screen changes, such as the new screen sliding or fading in. However, the app can tell the system that a custom animation should be used instead that is long-running and makes the new screen fully transparent, keeping it hidden from you. Any taps you make during this animation go to the hidden screen, not the visible app. The app can then use this to lure you into tapping on specific areas of the screen that correspond to sensitive actions on the hidden screen, allowing it to perform actions without your knowledge.
TapTrap works even on the latest Android version, Android 15. We reported this issue to Google and major browser vendors in 2024. Browsers have fixed the issue as of June 2025, but Android itself remains vulnerable.
Also: GrapheneOS: "After our Android 16 port was completed yesterday…" - GrapheneOS Mastodon