TapTrap: almost invisible attack without permissions targets Android devices

TechExpert

Google releases security updates for its Android operating system regularly, but it is not uncommon for novel vulnerabilities to affect even the most recent versions of Android. It seems unlikely that this is changing with the merging of ChromeOS and Android, which Google announced just recently.

Security researchers have demonstrated a new attack on Android. TapTrap is an animation-driven tapjacking attack on Android that requires no special permissions and is more or less invisible to the human eye.

Put simple, the attack abuses Android's custom animation system. Usually, when something is opened on Android, say an app, a permission prompt, or a system feature, an animation plays that shows it to the user. Apps can change the default animations that Android uses for that to custom animations.

The security researchers created animations that are transparent and have a long-running time. Means, you as the Android user in question do not realize that another screen has been opened. When you now tap on the screen, you interact with the transparent app or prompt that just opened. It can be anything, for instance requests for new permissions or a banking app.

A malicious app could "silently get permission to use your camera, microphone or location, read your notifications, and even erase your phone" according to the researchers. It can furthermore "attack other apps" that are installed on the device and websites in the browser, provided that the browser has not been patched yet.

A demo video shows how an attacker could exploit this. In this particular example, the app requested camera access, which the victim gave it, without ever seeing  a permission prompt for it.

The scope of the issue

A scan of 100,000 Play Store apps confirmed that 76 percent of them are vulnerable to the TapTrap attack, claim the researchers. Some popular apps, including the browsers Chrome, Edge, Firefox, and Brave, have fixed the issue on their end. Android itself remains vulnerable, however, as the core issue has not been addressed. GrapheneOS has also patched the issue.

The developers note that Android users may disable system animations to protect their Android devices against this type of attack. While that prevents the described attack, it will disable animations, which can impact accessibility.  It is also a good precaution to monitor camera and microphone access on the device, and to avoid installing apps from untrusted locations.

Good news is that the researchers are not aware of exploits in the wild, but this could change, now that the issue has been disclosed publicly.

Thank you for being a ComTek4u TechTips reader. The post TapTrap: almost invisible attack without permissions targets Android devices appears on ComTek4u TechTips. (via Ghacks)