Android application showcasing different attacks using TapTrap.
TapTrap is a tapjacking attack targeting Android devices. The attack utilizes animations in order to secretly open another screen, such as a permission prompt, and make it invisible. This can be used to trick an user into performing sensitive actions, such as granting permissions, without the consent of the user.
This repository contains an Android app that showcases four different attack scenarios utilizing TapTrap. For more information, consult the sections below.
The user believes he is interacting with a normal dialogue. In reality, without noticing, the user ends up granting the camera permission.
You can read more about this type of attack and watch a demo video.
The user believes he is enabling the Notification Listener Service in the settings of the app. In reality, the Notification Listener Service is being enabled in the system settings, concealed from the user through a custom animation.
You can read more about this type of attack and watch a demo video.
The user believes he is playing a simple game where he has to tap the correct button.
In reality, without noticing, the user ends up granting geolocation permission to a web page loaded inside a hidden CustomTab.
The CustomTab is concealed from the user through a custom animation.
You can read more about this type of attack and watch a demo video.
The user believes he is interacting with a normal Android app. In reality, he is interacting with an embedded web page.
Using CustomTabs combined with custom animations, the web page is visually hidden from the user, enabling a clickjacking attack.
You can read more about this type of attack and watch a demo video.
This repository is released under the MIT License. See LICENSE for details.
This project is based on the original paper of TapTrap.