In a concerning development for Android users, a new attack method known as Pixnapping has emerged, capable of surreptitiously capturing sensitive information such as two-factor authentication (2FA) codes and location data in under 30 seconds. This sophisticated technique, devised by a team of academic researchers, requires the installation of a malicious application on the target device, which operates without needing any system permissions.
The Pixnapping attack has been successfully demonstrated on devices like the Google Pixel and the Samsung Galaxy S25, with the potential for adaptation to other models. Despite Google’s recent release of mitigations aimed at countering this threat, researchers have indicated that a modified version of the attack remains effective even after these updates are applied.
Like taking a screenshot
The mechanics of a Pixnapping attack are strikingly simple yet alarming. The malicious app initiates a sequence that prompts targeted applications—such as authenticators—to display sensitive information on the screen. By executing graphical operations on specific pixels, the app can map these coordinates to corresponding characters or shapes, effectively stealing any visible data.
As outlined by the researchers on their informational website, “Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping.” This includes a wide array of information such as chat messages, 2FA codes, and email contents. However, it is important to note that information not displayed on the screen, such as secret keys stored within an app, remains secure from this particular attack.
Pixnapping bears a resemblance to a previous attack known as GPU.zip, which surfaced in 2023. This attack exploited vulnerabilities in graphics processing units (GPUs) to extract usernames, passwords, and other sensitive visual data from websites. The weaknesses that GPU.zip took advantage of have not been rectified; instead, browsers have implemented restrictions on iframes to prevent such attacks from occurring.
