Android users, beware: a newly disclosed vulnerability, dubbed “Pixnapping” by the researchers who devised it, allows attackers to covertly steal sensitive data, including crucial two-factor authentication (2FA) codes and private messages, from your device. What makes this attack particularly concerning is its speed and stealth—it can pilfer your private data in less than 30 seconds, and the malicious app required to execute it needs no system permissions to operate.
Understanding the Pixnapping Threat
Pixnapping is a new class of side-channel attack that targets Android phones and tablets. It works by effectively reading any data that another installed app displays on the screen. The technique has been successfully demonstrated on devices like Google Pixel phones and the Samsung Galaxy S25, and researchers believe it could be modified to work on other models.
The critical element of the attack is that anything the victim app makes visible can be stolen by the malicious app. This includes highly sensitive information like chat messages, email content, and, most critically, time-sensitive 2FA codes. However, information that is stored by an app but is never displayed on the screen (such as a secret key) cannot be stolen using Pixnapping.
How Does This “Pixel Stealing” Work?
The Pixnapping attack is reminiscent of the 2023 GPU.zip vulnerability, as it targets the same side channel by exploiting the precise amount of time it takes for a visual frame to be rendered on the screen. Alan Linghao Wang, the lead author of the research, explained that the attack allows a malicious app to steal information displayed by other apps or websites, “pixel by pixel”. Conceptually, the malicious app is “taking a screenshot of screen contents it should not have access to”.
The process is carried out in three main steps:
- Invoking the Target: The malicious app uses Android programming interfaces (APIs) to force the targeted app (like an authenticator app or a messaging service) to display sensitive information, which sends that data to the Android rendering pipeline.
- Graphical Operations: The attacker then performs specific graphical operations on individual pixels at targeted coordinates. This step involves checking whether the color of a specific pixel is ‘c’ (for an arbitrary color) or non-‘c’. This is done by opening malicious windows in front of the victim app to cause a side channel to leak based on the pixel’s color.
- Measuring the Time: By measuring the rendering time required for these operations at each coordinate, the malicious app monitors the side effects to infer the color of the pixel. If the target pixel is non-white, the rendering time is longer, and if it is white, the time is short. By combining these timing measurements, the attack can rebuild the visual image—like a 6-digit 2FA code—one pixel at a time.
Due to the 30-second window in which 2FA codes are valid, the speed of this attack is essential. The researchers successfully recovered the full 6-digit 2FA code from Google Authenticator on various Pixel phones in times ranging from 14.3 to 25.8 seconds.
How to Be Safe & Avoid It
The existence of Pixnapping demonstrates limitations in Google’s security guarantees regarding the isolation of data between different installed applications. Since the core requirement for the attack is the installation of a malicious, permission-free app, avoiding suspicious software is the primary defense.
Regarding official mitigation:
- Patches Issued: Google issued a patch for the vulnerability (CVE-2025-48561) in the September Android security bulletin, which partially mitigates the behavior. However, the researchers noted that a modified version of the attack still works even with this update installed.
- Further Fixes: Google plans to issue an additional patch in the December Android security bulletin to further address the vulnerability.
While the complexity of implementing such attacks in real-world scenarios might be significant, users should ensure they keep their operating system updated with the latest Android security bulletins, specifically looking out for the December patch.
Google was notified of a workaround to the recent security patch, where the CVE-2025-48561 vulnerability could be triggered. That workaround has not been disclosed by Google or the team since the current security update doesn’t fix it.
Google has since noted that it will issue an additional patch for the vulnerability in the upcoming December security update. It also stated that there have been no known instances of “in-the-wild” occurrences.
Key Takeaways
- Pixnapping is a new side-channel attack targeting Android devices, allowing the stealthy theft of sensitive data.
- The attack exploits the time it takes to render pixels on the screen to steal information displayed by other apps, including 2FA codes.
- The primary defense is to avoid installing suspicious apps, as the attack requires a malicious, permission-free app to be installed.
- Google has issued a partial patch in the September Android security bulletin and plans to release a further fix in December.
- Keep your Android OS updated with the latest security bulletins to mitigate the Pixnapping vulnerability.
Join our community by subscribing to our Weekly Newsletter to stay updated on the latest AI updates and technologies, including the tips and how-to guides.
(Also, follow us on Instagram (@inner_detail) for more updates in your feed and our WhatsApp Channel to get daily news straight to your Messaging App).
