Users interact with mobile devices under the assumption that the graphical user interface (GUI) accurately reflects their actions, a trust fundamental to the user experience. In this work, we present TapTrap, a novel attack that enables zero-permission apps to exploit UI animations to undermine this trust relationship. TapTrap can be used by a malicious app to stealthily bypass Android's permission system and gain access to sensitive data or execute destructive actions, such as wiping the device without user approval. Its impact extends beyond the Android ecosystem, enabling tapjacking and Web clickjacking. TapTrap is able to bypass existing tapjacking defenses, as those are targeted toward overlays. Our novel approach, instead, abuses activity transition animations and is effective even on Android 15. We analyzed 99,705 apps from the Play Store to assess whether TapTrap is actively exploited in the wild. Our analysis found no evidence of such exploitation. Additionally, we conducted a large-scale study on these apps and discovered that 76.3% of apps are vulnerable to TapTrap. Finally, we evaluated the real-world feasibility of TapTrap through a user study with 20 participants, showing that all of them failed to notice at least one attack variant. Our findings have resulted in two assigned CVEs.

In-app browsers (IABs) are heavily used components in mobile applications that allow app developers to display web content in native applications. Apart from simply rendering web content, such components provide the application with capabilities like the injection of JavaScript code and access to the website's cookies. While these features are useful for developers, they also allow potentially unwanted applications (PUAs) to perform malicious activities on benign websites, such as session hijacking using JavaScript injection. This thesis presents a novel approach to analyzing app-to-web interactions in Android WebView, the main built-in IAB component in Android. We use a combination of static and dynamic analysis techniques to first build a blueprint of an application and then dynamically drive the execution of the application to calls where IABs are launched. Our controlled environment allows us to record the interactions between the app and the web content, effectively minimizing false positives. We implement our approach as a prototype called IABInspect and apply it to 1,000 popular Android applications. In total, we are able to dynamically trigger 508 IAB launch calls in 196 applications and find an injection of JavaScript code in 50 applications. Our results show that the use of WebViews is ubiquitous in Android applications and that the injection of JavaScript code is a common practice, underscoring the need for further research in this area.