This new 'Pixnapping' exploit can steal everything on your Android screen - even 2FA codes

Elyse Betters Picaro / ZDNET Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways Pixnapping could be used to steal private data, including 2FA codes. Side-channel attack abuses Google Android APIs to steal data on display. Flaw is partially patched, although a more complete fix is due in December. A new attack method demonstrated by researchers could lead to the theft of two-factor authentication (2FA) codes and more on Android devices. Also: This fundamental Android feature is 'absolutely not' going away, says Google - but it is changing The attack technique, detailed in a paper titled Pixnapping: Bringing Pixel Stealing out of the Stone Age (PDF), has been developed by researchers from the University of California, Berkeley, San Diego, Washington, and Carnegie Mellon. Dubbed "Pixnapping," this attack vector begins when a victim unknowingly installs a malicious mobile application on their Android smartphone. Notably, the app doesn't need to abuse permissions to perform this attack, which exploits existing Android APIs, pixel rendering, and a hardware side channel. The steps There are three steps to Pixnapping, so-called due to its abuse of pixels rendered by a target app, such as Google Authenticator. The first stage requires the malicious app to invoke a target app and make a system call to prompt the submission of sensitive data to the Android rendering pipeline. Also: Your Android phone's most powerful security feature is off by default and hidden - turn it on now In the second stage, this app will then induce graphical operations (blurring) by launching a "semi-transparent" layer on individual sensitive pixels rendered by the target app -- such as the part of a screen when an authentication app renders 2FA characters. Masking is then used to isolate, enlarge, and determine the graphical nature of the pixels. The third and final stage requires the abuse of a side channel, GPU.Zip, to steal the pixels on display, one by one. In other words, the malicious app is taking pixels to capture a form of "screenshot" of content it should not have access to. What are the consequences? This attack could lead to the theft of visible information, such as private messages, 2FA codes, open email content, and more. Regarding 2FA, experiments to leak 100 of them within the required 30-second window were successful on Google Pixel phones, but there were varying degrees of success in grabbing the full six digits within Google Authenticator. However, this was not successful on a Samsung Galaxy S25 "due to significant noise." Also: This silent Android feature scans your photos for 'sensitive content' - how to disable it "We have demonstrated Pixnapping attacks on Google and Samsung phones and end-to-end recovery of sensitive data from websites, including Gmail and Google Accounts, and apps, including Signal, Google Authenticator, Venmo, and Google Maps," the researchers say. "Notably, our attack against Google Authenticator allows any malicious app to steal 2FA codes in under 30 seconds while hiding the attack from the user." Pixnapping was performed on five devices running Android versions 13 to 16: the Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. However, it is possible that Pixnapping could impact other handsets, as the team says the "core mechanisms enabling the attack are typically available in all Android devices." Is this security flaw patched? The security flaw has been assigned the tracker CVE-2025-48561. A patch has been issued (1, 2). The team says that this patch mitigates Pixnapping "by limiting the number of activities an app can invoke blur on," but also says a workaround exists, and this has been privately disclosed to Google. Also: How to turn on Android's Private DNS mode - and why you should ASAP It is not known if this exploit is being used in the wild, although Google told The Register there is no evidence of active campaigns. In addition, this partial mitigation will be followed by an additional patch in the tech giant's December Android security bulletin. Get the morning's top stories in your inbox each day with our Tech Today newsletter.