In an era where modern hardware is often perceived as a bulwark against cyber threats, the reality is more complex. The landscape of cyber threats has evolved, giving rise to increasingly sophisticated methods designed to compromise devices. A recent discovery has illuminated a particularly concerning trend: Android smartphones are now being targeted by malware that stealthily extracts information directly from the screen.
Security researchers from various US universities have unveiled this emerging threat in a detailed white paper. The malware, which has been aptly named “Pixnapping,” employs pixel-stealing technology and stands out due to its ability to operate without requiring elevated permission levels. This characteristic renders it one of the most perilous forms of malware identified to date.
An App That Reads Your Screen’s Pixels
The mechanism of this threat involves a malicious application that specifically targets Android devices, including popular models such as Google Pixel and Samsung Galaxy smartphones. The app functions by capturing repeated background screenshots to read each pixel on the screen, subsequently reassembling the data into a coherent format. This insidious technique allows it to surveil sensitive information, including messages, passwords, and two-factor authentication (2FA) codes from applications like Google Authenticator.
The research team provided a demonstration of the attack’s functionality. Once installed, the malware operates discreetly in the background. In one instance, it successfully extracted codes from the Authenticator app without the user’s knowledge.
After the data is captured, it is transmitted to a remote server controlled by the attackers. This access enables them to infiltrate accounts and execute further actions, such as altering settings or making purchases within financial and retail applications.
Further analysis revealed that the malware’s effectiveness varies across different devices. While newer models exhibit greater resistance, they are not entirely immune. For example, the recovery rate of two-factor codes was found to be 53% on the Pixel 9, in contrast to 73% on the Pixel 6. Additionally, the time taken to extract these codes differed significantly, with the Pixel 9 requiring 25.3 seconds compared to just 14.3 seconds for the Pixel 6.
The report indicates that although data sharing is generally restricted for applications and websites, a vulnerability in Android APIs is being exploited by this malware to access and interpret pixel data displayed on the screen.
Google Has Not Fully Addressed the Threat
The researchers reported the vulnerability, designated as CVE-2025-48561, to Google back in February. In response, the company issued a partial fix during the September security update; however, this patch does not completely mitigate the vulnerability. Google has acknowledged the issue and indicated that a more comprehensive update is forthcoming.
In the interim, users are encouraged to adopt proactive measures to safeguard their devices. This includes ensuring that the operating system and applications are updated to the latest versions. Enabling built-in protections, avoiding the installation of third-party apps from unverified sources, and regularly reviewing app permissions are also advisable steps.
For enhanced security, users might consider utilizing hardware-based two-factor authentication rather than relying solely on software solutions provided by third-party applications.
What measures do you recommend to keep devices and data safe from these kinds of attacks? We welcome your suggestions in the comment section.
