Android devices are vulnerable to a new attack that can secretly steal 2FA codes, location timelines, and other personal data in less than 30 seconds.
The new attack, dubbed Pixnapping by a team of academic researchers, requires the victim to first install a malicious app on an Android phone or tablet. The application, which does not require system permissions, can then effectively read the data that any other installed application displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone, and can likely be modified to work on other models with more work. Google published mitigations last month, but researchers said a modified version of the attack works even if the update is installed.
How to take a screenshot
Pixnapping attacks begin with a malicious app calling Android APIs that force the authenticator or other targeted apps to send sensitive information to the device's screen. The malicious application then performs graphical operations on individual pixels of interest to the attacker. Pixnapping then uses side channel this allows the malicious application to match pixels at these coordinates to letters, numbers or shapes.
“Everything visible when the target app is opened can be stolen by a malicious app using Pixnapping,” the researchers wrote on the site. information site. “Chat messages, 2FA codes, email messages, etc. are vulnerable because they are visible. If an app has sensitive information that is not visible (for example, it has a secret key that is stored but never shown on the screen), that information cannot be stolen by Pixnapping.”
The new attack class resembles GPU.zip2023 attack that allowed malicious websites to read usernames, passwords and other sensitive visual data displayed by other websites. It worked by taking advantage of side channels found in GPUs from all major vendors. The vulnerabilities that GPU.zip exploited were never patched. Instead, the attack was blocked in browsers by limiting their ability to open an iframe, an HTML element that allows one website (in the case of GPU.zip, a malicious one) to embed site content from another domain.
