browser attack

Security researchers have revived a 12-year-old browser attack, now adapted for Android devices, called "Pixnapping," which allows malicious applications to extract pixel data from other apps or websites. The attack involves a malicious app opening a target application, such as Google Authenticator, and using timing tricks to infer displayed content by measuring rendering times based on specific pixels. This attack has been successfully demonstrated on devices including Google Pixel 6, 7, 8, and 9, and Samsung Galaxy S25, all running Android versions 13 to 16. Pixnapping does not require special manifest permissions, complicating detection. It can extract sensitive information from apps like Google Maps, Signal, and Venmo, and capture two-factor authentication codes from Google Authenticator. The mechanism enabling this attack is likely present across a broader range of devices, but the research does not provide specific defenses against it.