This New 'pixnapping' Exploit Can Steal Everything On Your Android Screen - Even 2fa Codes

Elyse Betters Picaro / ZDNET

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Pixnapping could beryllium utilized to bargain backstage data, including 2FA codes.
• Side-channel onslaught abuses Google Android APIs to bargain information connected display.
• Flaw is partially patched, though a much complete hole is owed successful December.

A caller onslaught method demonstrated by researchers could lead to nan theft of two-factor authentication (2FA) codes and much connected Android devices.

Also: This basal Android characteristic is 'absolutely not' going away, says Google - but it is changing

The onslaught technique, elaborate successful a insubstantial titled Pixnapping: Bringing Pixel Stealing retired of nan Stone Age (PDF), has been developed by researchers from nan University of California, Berkeley, San Diego, Washington, and Carnegie Mellon.

Dubbed "Pixnapping," this onslaught vector originates erstwhile a unfortunate unknowingly installs a malicious mobile exertion connected their Android smartphone.

Notably, nan app doesn't request to maltreatment permissions to execute this attack, which exploits existing Android APIs, pixel rendering, and a hardware broadside channel.

The steps

There are 3 steps to Pixnapping, alleged owed to its maltreatment of pixels rendered by a target app, specified arsenic Google Authenticator. The first shape requires nan malicious app to invoke a target app and make a strategy telephone to punctual nan submission of delicate information to nan Android rendering pipeline.

Also: Your Android phone's astir powerful information characteristic is disconnected by default and hidden - move it connected now

In nan 2nd stage, this app will past induce graphical operations (blurring) by launching a "semi-transparent" furniture connected individual delicate pixels rendered by nan target app -- specified arsenic nan portion of a surface erstwhile an authentication app renders 2FA characters. Masking is past utilized to isolate, enlarge, and find nan graphical quality of nan pixels.

The 3rd and last shape requires nan maltreatment of a broadside channel, GPU.Zip, to bargain nan pixels connected display, 1 by one. In different words, nan malicious app is taking pixels to seizure a shape of "screenshot" of contented it should not person entree to.

What are nan consequences?

This onslaught could lead to nan theft of visible information, specified arsenic backstage messages, 2FA codes, unfastened email content, and more.

Regarding 2FA, experiments to leak 100 of them wrong nan required 30-second model were successful connected Google Pixel phones, but location were varying degrees of occurrence successful grabbing nan afloat six digits wrong Google Authenticator. However, this was not successful connected a Samsung Galaxy S25 "due to important noise."

Also: This silent Android characteristic scans your photos for 'sensitive content' - really to disable it

"We person demonstrated Pixnapping attacks connected Google and Samsung phones and end-to-end betterment of delicate information from websites, including Gmail and Google Accounts, and apps, including Signal, Google Authenticator, Venmo, and Google Maps," nan researchers say. "Notably, our onslaught against Google Authenticator allows immoderate malicious app to bargain 2FA codes successful nether 30 seconds while hiding nan onslaught from nan user."

Pixnapping was performed connected 5 devices moving Android versions 13 to 16: nan Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. However, it is imaginable that Pixnapping could effect different handsets, arsenic nan squad says nan "core mechanisms enabling nan onslaught are typically disposable successful each Android devices."

Is this information flaw patched?

The information flaw has been assigned nan locator CVE-2025-48561. A spot has been issued (1, 2). The squad says that this spot mitigates Pixnapping "by limiting nan number of activities an app tin invoke blur on," but besides says a workaround exists, and this has been privately disclosed to Google.

Also: How to move connected Android's Private DNS mode - and why you should ASAP

It is not known if this utilization is being utilized successful nan wild, though Google told The Register location is nary grounds of progressive campaigns. In addition, this partial mitigation will beryllium followed by an further spot successful nan tech giant's December Android information bulletin.

Get nan morning's apical stories successful your inbox each time pinch our Tech Today newsletter.