As if there weren’t enough threats to your smartphone already, from SMS attackers who don’t need to know your phone number, malware that can steal all your photos, and one that can turn your contacts into unknowing hackers, a new kid has arrived on the Android attack block. Not that you would see it, as it’s invisible. Well, kind of. Welcome to the strange and dangerous world of tapjacking, the threat you can’t see but that can erase your smartphone.
Tapjacking — The Invisible Threat To Your Smartphone
Imagine there was a new attack methodology that could enable a threat actor to manipulate an app into accessing your camera without your consent. Now imagine that same attack could erase your entire smartphone. Worried yet?
That’s precisely what Philipp Beer, Marco Squarcina and Martina Lindorfer, researchers from the Security and Privacy Group at TU Wien Informatics in Austria, and Sebastian Roth from the University of Bayreuth in Germany, have revealed with their research into Tapjacking.
In developing TapTrap, the researchers have demonstrated how an app without any permissions at all can abuse screen animations to open another screen without the user knowing, turn it invisible, and get them to unknowingly click on a permission prompt. This method of executing a transparent action with an invisible malicious one underneath is new and dangerous.
Whereas, ordinarily, when the screen changes in Android, you would expect to see an animation, maybe a sliding or fading effect at one screen changes to another, a TapTrap attack can make the new screen “fully transparent, keeping it hidden from you,” the researcher said. “Any taps you make during this animation go to the hidden screen,” they continued, “not the visible app.”
In case you need any further illustration of how dangerous this can be, the app could then get you to tap areas of the screen that “correspond to sensitive actions on the hidden screen,” the researchers explained, “allowing it to perform actions without your knowledge.” Actions like, for example, enabling the device administrator permission, which can let an app remotely wipe your phone.
Mitigating The TapTrap Invisible Threat To Your Phone
The researchers have stated that they responsibly disclosed the TapTrap invisible threat to the Android Security Team, along with major browser vendors, twice in 2024. “While browser vendors have since fixed the issue,” they said, “Android has not yet addressed it.” I have contacted Google for a statement. In the meantime, Android users are advised to disable system animations in the device accessibility settings until such a time as Google fixes the issue. “This prevents the attack,” the researchers concluded, “but also disables animations on your device.”
Read the full article here
