New Android Attack, Pixnapping, Can Steal 2FA Codes Without Permissions

A newly disclosed Android vulnerability, dubbed Pixnapping, allows malicious apps to steal sensitive on‑screen information — including 2FA codes, chat messages, and location history — without needing any system permissions. The attack, developed by academic researchers, can extract visible data in under 30 seconds and raises fresh concerns about app isolation and screen privacy on modern Android devices.

Pixnapping is a side‑channel attack that targets Android’s screen‑rendering pipeline. After a user installs a specially crafted malicious app, that app can provoke other apps to render sensitive content and then probe the rendering process — pixel by pixel — by measuring tiny timing differences in how frames are drawn. Those timing signals let the attacker infer whether a particular pixel is blank or part of a character or image, enabling reconstruction of what was shown on the screen.

Crucially, the malicious app needs no system permissions — it does not rely on file access, screen‑capture permissions, or sensors. That makes detecting and blocking the technique using standard permission reviews more difficult.

How the attack works

  • Trigger: The malicious app uses normal Android APIs to open or prompt a target app to display sensitive content (for example, a 2FA code or a chat thread).
  • Probe: The attacker performs tiny graphical operations targeted at specific pixel coordinates and measures rendering time.
  • Reconstruct: By combining timing measurements across many pixels, the attacker rebuilds the visible image and reads the revealed data.

The attack can only recover information that is actually displayed on screen; data hidden inside an app and never rendered cannot be taken this way.

Real‑world testing and impact

Researchers demonstrated Pixnapping on several Google Pixel models (Pixel 6-9) and a Samsung Galaxy S25.

Results varied by device: the Pixel 6 recovered full 6‑digit Google Authenticator codes in 73% of trials, while the Pixel 8 succeeded in 29% of trials. Average recovery times ranged from about 14 to 25 seconds — within the typical 30‑second validity window for time‑based 2FA codes. The Galaxy S25 produced too much noise for the researchers’ implementation to complete within 30 seconds, though the team believes further tuning could broaden device coverage.

In response, Google assigned CVE‑2025‑48561 to the issue and issued partial mitigations in the September 2025 Android security bulletin, with an additional patch scheduled for December. Google reported no evidence of in‑the‑wild exploitation to date and continues to monitor the situation.

Pixnapping undermines an important security assumption that an app without permissions cannot observe another app’s private data. Because it exploits low‑level rendering timing rather than traditional permission or API flaws, the attack is harder to detect and mitigate with usual app‑permission controls. That makes Pixnapping a practical privacy concern — especially for targeted attacks — and highlights limits in current platform defenses against timing-based side channels.

To mitigate vulnerabilities, users and IT teams should:

  • Install only trusted apps and avoid sideloading unknown APKs.
  • Apply Android updates and security patches as vendors release them.
  • Prefer phishing‑resistant 2FA (hardware keys or FIDO2/Passkeys) for critical accounts where available.
  • Enforce app‑install policies on managed devices (block sideloading, use allowlists) and monitor device compliance.

Pixnapping is a technically sophisticated side‑channel attack that can expose information visible on an Android screen without requesting permissions. While broad exploitation appears difficult and Google has started issuing mitigations, the issue is a timely reminder that platform security needs layered defenses including cautious app installation practices, fast patching, and stronger, phishing‑resistant authentication for sensitive accounts.

For a deeper dive into the Pixnapping vulnerability, check out the full coverage on Ars Technica here.


Comments Section

Leave a Reply

Your email address will not be published. Required fields are marked *



,
Back to Top - Modernizing Tech