Google has acknowledged a significant vulnerability that poses a risk to applications typically regarded as secure, such as Authenticator and Signal. This issue stems from a novel technique known as “Pixnapping,” which has been successfully exploited on various models of Google Pixel devices and Samsung Galaxy smartphones.
Details of the Vulnerability
As reported by The Register, Google has implemented a partial fix for this recently identified security flaw. The vulnerability exploits certain weaknesses within the Android operating system, particularly through the Android Intent system. This system facilitates communication between apps, allowing a malicious application to request sensitive information from a targeted app for rendering purposes.
Once the render is obtained, the malicious app can extract sensitive pixels, overlaying them with transparent screens that remain undetectable to the user. The data harvested can then be accessed through a side channel, utilizing another vulnerability known as GPU.zip, which enables the theft of GPU-rendered visuals.
The research team responsible for uncovering Pixnapping comprises seven researchers who successfully demonstrated the vulnerability on multiple Google Pixel models, including the Pixel 9, Pixel 8, and Pixel 7. They also managed to replicate the exploit on a Samsung Galaxy S25.
Timeline and Response
According to the timeline provided by the research team, Google was alerted to the issue in February 2025. In response, the company rolled out a patch as part of its September security update, reflecting the seriousness with which it views this threat.
However, the research team has indicated that further action is necessary. They have pointed out a workaround that allows the CVE-2025-48561 vulnerability to be triggered, which has not been disclosed by either Google or the research team. As it stands, the current security update does not address this workaround.
In light of these developments, Google has announced plans to issue an additional patch for the vulnerability in the forthcoming December security update. The company has also reassured users that there have been no confirmed instances of the vulnerability being exploited in real-world scenarios.
