A newly identified class of attacks has emerged, posing a significant threat to Android devices. This innovative method, known as Pixnapping, allows malicious applications to surreptitiously capture on-screen information from other apps through a technique referred to as pixel stealing. The implications of this attack are extensive, as it affects a wide range of applications, including popular services like Signal, Google Authenticator, and Venmo.
Understanding the Pixnapping Attack
The Pixnapping process initiates when a user unwittingly installs a malicious app. This app subsequently employs Android APIs to launch another application, such as Google Authenticator. Once the target app is active, the malicious software conducts pixel-level operations on specific screen areas where sensitive information is displayed. By exploiting a side channel, it extracts these pixels sequentially, akin to capturing a screenshot of the target app’s interface.
Pixnapping forces sensitive pixels into the rendering pipeline and overlays semi-transparent activities on top of those pixels via Android intents. To induce graphical operations on these pixels, our instantiations use Android’s window blur API. To measure rendering time, our instantiations use VSync callbacks.
This attack leverages the GPU.zip side-channel vulnerability, which researchers have identified as prevalent in nearly all modern GPUs, including those manufactured by AMD, Apple, Arm, Intel, Qualcomm, and Nvidia.
The research draws an intriguing parallel between the use of iframes in web browsers and app layering on mobile devices. App layering allows a malicious application to interact with the pixels of another app, which can lead to significant information leaks. Given that app layering is unlikely to be eliminated, researchers suggest that a viable response would be to make these new attacks less appealing than their predecessors. This could involve allowing sensitive applications to opt-out and limiting the attacker’s measurement capabilities, ensuring that any proof-of-concept remains just that.
A realistic response is making the new attacks as unappealing as the old ones: allow sensitive apps to opt-out and restrict the attacker’s measurement capabilities so that any proof-of-concept stays just that.
Currently, there appear to be no mitigation strategies available for developers to safeguard their applications against Pixnapping. In their findings, researchers highlight that this attack enables the theft of secrets stored locally, such as two-factor authentication codes and Google Maps Timeline data, which have previously been out of reach for pixel stealing attacks.
While pixel stealing attacks are not entirely novel, having first been demonstrated in 2013 through the use of iframes to extract information from embedded target websites, modern web browsers have significantly mitigated these threats by imposing restrictions on iframes and cross-site cookie usage.
The GPU.zip side-channel vulnerability was initially disclosed by the same research team in 2023 and has yet to be addressed by the affected GPU vendors. In its original context, which focused on data exfiltration from websites, the vulnerability was not considered a major concern due to the protective measures implemented by browsers against iframe and cross-site cookie exploits, along with the security protocols of most sensitive websites.
About the Author
Sergio De Simone
Show moreShow less
