https://foxnews.com/tech/new-android-attack-tricks-you-giving-dangerous-permissions
GrapheneOS, a security-focused operating system based on Android, confirmed that its current version is also affected. However, it plans to release a fix in its next update.
No, we said that on July 7 and then shipped https://grapheneos.org/releases#2025070700 fixing it.
They likely found https://x.com/GrapheneOS/status/1942235186923499549 but didn't realize our next release was shipped later that day. The TapTrap site from the researchers at https://taptrap.click/ documents that we fixed it. Our fix works well and many users tried the proof of concept app to confirm it.
Android 16 was released June 10 and we'd already done our final Android 15 QPR2 releases with backports of Android 16 drivers/firmware when we were informed about TapTrap near the end of June. Once our port to 16 was near Stable, one of our devs spent a few hours fixing TapTrap.
The researchers reported it to Android on October 31, 2024 and Android still hasn't fixed it. We fixed the vulnerability by only allowing third party apps to use custom activity animations for their own activities. It's likely Android doesn't want to remove part of the feature.