Resurgence of a Vintage Cyber Threat
In a striking development, security researchers have revived a 12-year-old browser attack, now tailored for Android devices, allowing malicious applications to extract pixel data from other apps or websites. This adaptation, known as “Pixnapping,” presents a significant challenge for mobile security.
Alan Wang, a PhD candidate at UC Berkeley, elaborated on the mechanics of this attack. “The malicious app initiates by opening the target application, such as Google Authenticator, which then renders its pixels,” he explained, detailing the clever timing trick that underpins the technique. By selecting a specific pixel and executing graphical operations that depend on the color of that pixel, the malicious app can infer the displayed content by measuring the time it takes to render frames.
The research team successfully demonstrated this attack on a range of devices, including the Google Pixel 6, 7, 8, and 9, as well as the Samsung Galaxy S25, all running Android versions 13 to 16, specifically up to build id BP3A.250905.014. Notably, the implementation of Pixnapping does not require any special manifest permissions, complicating detection and prevention efforts.
In their paper titled “Pixnapping: Bringing Pixel Stealing out of the Stone Age,” the researchers outlined the potential risks associated with this attack. It can extract sensitive information from widely used applications such as Google Maps, Signal, and Venmo, as well as from websites like mail.google.com. Alarmingly, the researchers demonstrated its capability to capture two-factor authentication codes from Google Authenticator.
While the study focused on specific Android models, the authors noted that the fundamental mechanism enabling this timing channel is likely prevalent across a broader range of devices. Unfortunately, the paper does not provide specific defenses against this vulnerability, leaving modern smartphones exposed to this deceptively simple yet highly effective side channel attack.
