Safety researchers say they’ve devised a brand new approach to extract non-public knowledge from apps put in on Android gadgets, together with two-factor authentication (2FA) codes and placement timelines, in beneath a minute.
Generally known as Pixnapping, the brand new hacking approach was used to efficiently extract knowledge from Google Pixel telephones and the Samsung Galaxy S25. It may well additional be modified to focus on different gadgets working Android, as per the researchers from College of California; College of Washington; and Carnegie Mellon College. The findings are detailed in a analysis paper titled ‘Pixnapping: Bringing Pixel Stealing out of the Stone Age’ printed on Monday, October 13.
“Something that’s seen when the goal app is opened might be stolen by the malicious app utilizing Pixnapping. Chat messages, 2FA codes, e mail messages, and many others. are all weak since they’re seen,” the researchers wrote in a separate weblog publish.
“If an app has secret info that isn’t seen (eg, it has a secret key that’s saved however by no means proven on the display screen), that info can’t be stolen by Pixnapping,” they added. The Pixnapping paper not solely contributes to the understanding of such assaults but additionally exposes the cracks in Google’s safety and privateness safeguards, demonstrating {that a} malicious app would possibly nonetheless be capable of entry one other app’s delicate knowledge.
In response to the findings, Google stated that it launched updates to patch the vulnerability. “We issued a patch for CVE-2025-48561 within the September Android safety bulletin, which partially mitigates this conduct. We’re issuing a further patch for this vulnerability within the December Android safety bulletin. We have now not seen any proof of in-the-wild exploitation,” a Google spokesperson was quoted as saying by ArsTechnica.
Nonetheless, the researchers stated {that a} modified model of the Pixnapping assault nonetheless works even after the replace has been put in.
The way it works
First, the sufferer has to put in a malicious app on an Android cellphone or pill. The malicious app will use Android APIs to make calls to the app that the attacker needs to eavesdrop on. These calls may also be used to successfully scan an contaminated machine for apps of curiosity which have been put in.
Story continues beneath this advert
The API calls trigger the focused app to show particular knowledge it has entry to, reminiscent of a message thread in a messaging app or a 2FA code for a particular website. This info is then despatched to the Android rendering pipeline, the system that takes every app’s pixels to allow them to be rendered on the display screen.
Within the subsequent step, the hackers carry out graphical operations on the person pixels despatched by the focused app to the Android rendering pipeline. Then, they map the coordinates of the goal pixels to letters, numbers, or shapes.
“Suppose, for instance, [the attacker] needs to steal a pixel that’s a part of the display screen area the place a 2FA character is thought to be rendered by Google Authenticator,” Alan Linghao Wang, lead creator of the analysis paper, stated.
“This pixel is both white (if nothing was rendered there) or non-white (if a part of a 2FA digit was rendered there). Then, conceptually, the attacker needs to trigger some graphical operations whose rendering time is lengthy if the goal sufferer pixel is non-white and quick whether it is white. The malicious app does this by opening some malicious actions (i.e., home windows) in entrance of the sufferer app that was opened in Step 1,” Wang was quoted as saying.
Story continues beneath this advert
By measuring the period of time required at every coordinate and evaluating them, the attackers can rebuild the pictures despatched to the rendering pipeline one pixel at a time, as per the analysis paper. “Conceptually, it’s as if the malicious app was taking a screenshot of display screen contents it mustn’t have entry to,” Wang additional stated.
The Pixnapping approach is reportedly just like one other sort of assault known as GPU.zip that was uncovered in 2023. It entails exploiting facet channels present in GPUs from main suppliers.