Reviving a Decade-Old Threat: The Pixnapping Attack on Android Devices
In a striking development, security researchers have brought to light a 12-year-old data-stealing attack, now known as Pixnapping, which targets web browsers to extract sensitive information from Android devices. This attack remains unmitigated, posing a significant risk akin to a malicious app that can take screenshots of other applications or websites.
Pixnapping enables a rogue Android application to access and leak information displayed in various apps, including Google Maps, Signal, and Venmo, as well as from websites like Gmail. Alarmingly, it can even capture two-factor authentication (2FA) codes from Google Authenticator.
The mechanics of the attack involve accessing screen display pixels through a hardware side channel, specifically utilizing a technique inspired by security researcher Paul Stone’s work in 2013. Stone’s original research demonstrated how SVG filters could be employed in a timing attack to read pixel values from a web page within a cross-origin iframe, a method that has since been mitigated by restrictions on iframes and cross-origin cookies.
The modern iteration of this attack was crafted by a collaborative team of researchers from various esteemed institutions, including the University of California, Berkeley, and Carnegie Mellon University. Their findings will be presented in a paper titled “Pixnapping: Bringing Pixel Stealing out of the Stone Age” at the upcoming 32nd ACM Conference on Computer and Communications Security in Taipei, Taiwan.
According to Alan Wang, a PhD candidate at UC Berkeley, the team leveraged their previous work on GPU.zip, which provided a side channel to leak rendering data. “After learning about Android’s Custom Tabs API, we realized we might be able to revive the browser attacks, which then led to the app attacks,” Wang explained.
The Pixnapping framework allows a malicious app to push pixels into the rendering pipeline using Android Intents, a messaging mechanism for intra-app communication. By overlaying semi-transparent Android Activities, the app can read the pixels it has rendered. This process relies on the Android window blur API to perform graphical operations on the pixels and uses VSync callbacks to measure rendering time.
The attack follows a systematic approach:
- The malicious app opens the target app (e.g., Google Authenticator), submitting its pixels for rendering.
- It selects the coordinates of a target pixel, aiming to determine whether it is white (indicating no content) or non-white (indicating rendered content).
- The app performs graphical operations that take longer to render if the target pixel is non-white and shorter if it is white.
- Finally, it measures the rendering time to infer the color of the target pixel, repeating this process to recover enough data for optical character recognition (OCR) and guess the original content.
The researchers successfully demonstrated Pixnapping on multiple devices running Android versions 13 to 16, including the Google Pixel series and the Samsung Galaxy S25. While other Android devices have not been tested, the underlying mechanism for the attack is generally available across devices. Notably, a malicious app implementing Pixnapping does not require special permissions in its manifest file.
On Pixel devices, the attack exploits how the Mali GPU implements data compression, resulting in data-dependent rendering times that can be monitored to infer pixel values. However, the researchers are still investigating whether similar timing differences observed on Samsung devices can be attributed to GPU data compression.
Despite its capabilities, Pixnapping has limitations, leaking only 0.6 to 2.1 pixels per second, which the researchers assert is still sufficient to recover Google Authenticator codes. A Google spokesperson confirmed that a patch for the underlying vulnerability, tracked as CVE-2025-48561, was issued in the September Android security bulletin, with an additional patch planned for December. They noted that there has been no evidence of exploitation in the wild.
While Google has attempted to mitigate Pixnapping by restricting the number of blur API calls allowed per Android Activity, the researchers have identified a workaround that remains under embargo. They suggest that limiting an attacker’s ability to compute on victim pixels would be the most effective mitigation strategy, given the persistent nature of new side channels in Android.
As the landscape of mobile security continues to evolve, the researchers emphasize that the GPU.zip side channel remains unaddressed by vendors, and they have also discovered methods for attackers to identify all installed apps on a device, a capability disallowed since Android 11 for privacy reasons. Google has indicated that fixing this specific issue may not be feasible.
