Titelangaben
Beer, Philipp ; Squarcina, Marco ; Roth, Sebastian ; Lindorfer, Martina:
TapTrap : Animation-Driven Tapjacking on Android.
2025
Veranstaltung: 34th USENIX Security Symposium
, August 13–15, 2025
, Seattle, WA, USA.
(Veranstaltungsbeitrag: Kongress/Konferenz/Symposium/Tagung
,
Paper
)
Weitere URLs
Abstract
Users interact with mobile devices under the assumption that the graphical user interface (GUI) accurately reflects their actions, a trust fundamental to the user experience. In this work, we present TapTrap, a novel attack that enables zero-permission apps to exploit UI animations to undermine this trust relationship. TapTrap can be used by a malicious app to stealthily bypass Android’s permission system and gain access to sensitive data or execute destructive actions, such as wiping the device without user approval. Its impact extends beyond the Android ecosystem, enabling tapjacking and Web clickjacking. TapTrap is able to bypass existing tapjacking defenses, as those are targeted toward overlays. Our novel approach, instead, abuses activity transition animations and is effective even on Android 15. We analyzed 99,705 apps from the Play Store to assess whether TapTrap is actively exploited in the wild. Our analysis found no evidence of such exploitation. Additionally, we conducted a large-scale study on these apps and discovered that 76.3% of apps are vulnerable to TapTrap. Finally, we evaluated the real-world feasibility of TapTrap through a user study with 20 participants, showing that all of them failed to notice at least one attack variant. Our findings have resulted in two assigned CVEs.
Weitere Angaben
Publikationsform: | Veranstaltungsbeitrag (Paper) |
---|---|
Begutachteter Beitrag: | Ja |
Keywords: | Android; Tapjacking; Clickjacking; Animation |
Institutionen der Universität: | Fakultäten > Fakultät für Mathematik, Physik und Informatik > Institut für Informatik > Juniorprofessur Cybersecurity > Juniorprofessur Cybersecurity - Juniorprof. Dr.-Ing. Sebastian Roth |
Titel an der UBT entstanden: | Ja |
Themengebiete aus DDC: | 000 Informatik,Informationswissenschaft, allgemeine Werke > 004 Informatik 600 Technik, Medizin, angewandte Wissenschaften > 600 Technik |
Eingestellt am: | 29 Jul 2025 08:58 |
Letzte Änderung: | 29 Jul 2025 08:58 |
URI: | https://eref.uni-bayreuth.de/id/eprint/94368 |