Pixnapping Archives

AppWizard

October 16, 2025

Pixnapping: Side-Channel Vulnerability Allows Android Apps to Capture Sensitive Screen Data

A newly identified attack method called Pixnapping poses a significant threat to Android devices by allowing malicious applications to capture on-screen information from other apps through pixel stealing. This attack affects various applications, including Signal, Google Authenticator, and Venmo. Pixnapping occurs when a user installs a malicious app that uses Android APIs to launch a target application, capturing sensitive information displayed on the screen by exploiting a side channel. The attack utilizes the GPU.zip side-channel vulnerability, prevalent in modern GPUs from manufacturers like AMD, Apple, Arm, Intel, Qualcomm, and Nvidia. Currently, there are no mitigation strategies available for developers against Pixnapping, which can lead to the theft of locally stored secrets, such as two-factor authentication codes. The GPU.zip vulnerability was disclosed in 2023 and remains unaddressed by GPU vendors.

AppWizard

October 15, 2025

Think You’re Safe? Hackers Can Now Peek at Every Password You Type on Android

Android smartphones are being targeted by malware named "Pixnapping," which uses pixel-stealing technology to extract information directly from the screen without requiring elevated permissions. This malware captures repeated background screenshots to read pixels, allowing it to surveil sensitive information such as messages, passwords, and two-factor authentication (2FA) codes. The extracted data is transmitted to a remote server controlled by attackers, enabling them to infiltrate accounts and perform actions like altering settings or making purchases. The malware's effectiveness varies by device, with a recovery rate of 53% for 2FA codes on the Pixel 9 and 73% on the Pixel 6. A vulnerability in Android APIs, designated as CVE-2025-48561, is exploited by this malware. Google was notified of the vulnerability in February and issued a partial fix in September, but the issue remains unresolved. Users are advised to keep their devices updated, enable built-in protections, avoid unverified apps, and consider hardware-based two-factor authentication for enhanced security.

AppWizard

October 15, 2025

Worried About 2FA Codes? Pixnapping on Android Might Steal Them

A new cybersecurity threat called "Pixnapping" has been identified, targeting Android users. This attack can capture sensitive information displayed on a user's screen, such as two-factor authentication codes and chat messages, in under 30 seconds. It operates through a seemingly harmless app that prompts a target application to display confidential content and then analyzes the phone's rendering pipeline pixel by pixel to reconstruct the displayed information. The technique has been successfully demonstrated on Google Pixel devices and Samsung's Galaxy S25, exploiting timing discrepancies in graphics rendering. Google has released a patch (CVE-2025-48561) in September to address this vulnerability, though no real-world exploitation has been reported.

AppWizard

October 15, 2025

Researchers expose critical Android flaw allowing apps to steal sensitive data

Security researchers have identified a data theft technique called Pixnapping that exploits vulnerabilities in Android devices, specifically targeting sensitive information from various applications without needing special permissions. This method allows malicious apps to capture data from other apps or websites, including sensitive information from platforms like Google Maps, Gmail, Signal, Venmo, and two-factor authentication codes from Google Authenticator. The technique utilizes a hardware side channel known as GPU.zip to read screen pixel data by measuring rendering times. The data leak rate is between 0.6 to 2.1 pixels per second, sufficient to reconstruct sensitive information. The vulnerability is designated as CVE-2025-48561 and affects Android versions 13 through 16, including devices like the Pixel 6 to 9 and Galaxy S25. A partial patch was released in September 2025, with a comprehensive solution expected in December. The attack allows benign applications from the Google Play Store to potentially spy on sensitive on-screen data, highlighting broader concerns regarding side-channel vulnerabilities that arise from hardware data processing rather than software bugs. While Google has stated there is no evidence of exploitation currently, the existence of this attack suggests that malware could bypass traditional security measures. Google is working on additional fixes to limit misuse of the blur API and improve detection capabilities, but the underlying GPU.zip vulnerability remains unresolved. Users are advised to avoid untrusted apps and keep their devices updated, as more side-channel attacks similar to Pixnapping may emerge in the future.

AppWizard

October 15, 2025

Google has patched ‘Pixnapping’ attack in Android, further fix with December security update

Google has acknowledged a significant vulnerability affecting secure applications like Authenticator and Signal, caused by a technique called "Pixnapping." This vulnerability has been exploited on Google Pixel devices and Samsung Galaxy smartphones. It takes advantage of weaknesses in the Android operating system, particularly through the Android Intent system, allowing malicious apps to request sensitive information from targeted apps. The vulnerability enables the extraction of sensitive pixels, which can be accessed via another vulnerability known as GPU.zip. The research team that discovered Pixnapping demonstrated the exploit on multiple Google Pixel models (Pixel 9, Pixel 8, Pixel 7) and a Samsung Galaxy S25. Google was alerted to the issue in February 2025 and released a partial fix in its September security update. However, a workaround for the CVE-2025-48561 vulnerability remains undisclosed and unaddressed in the current update. Google plans to issue an additional patch in the December security update and has stated that there have been no confirmed real-world exploitations of the vulnerability.

AppWizard

October 14, 2025

New Android Pixnapping attack steals MFA codes pixel-by-pixel

A new side-channel attack called Pixnapping allows malicious Android applications to extract sensitive data without permissions by stealing pixels displayed by applications or websites. This attack can reveal private information, including chat messages from secure apps like Signal, emails from Gmail, and two-factor authentication (2FA) codes from Google Authenticator. Developed by a team of researchers, Pixnapping works on fully patched modern Android devices and can exfiltrate 2FA codes in under 30 seconds. Google attempted to address this vulnerability (CVE-2025-48561) in a September update, but the researchers bypassed these measures. A more robust solution is expected in the December 2025 Android security update. The attack begins with a malicious app exploiting Android’s intents system to launch a target app or webpage, processed by the system’s composition engine, SurfaceFlinger. The malicious app identifies target pixels by executing graphical operations and uses a 'masking activity' to conceal the target app. The attacker modifies the cover window to display all opaque white pixels except for the chosen transparent pixel. The isolated pixels are enlarged using a stretch-like effect when applying blur, and an OCR-style technique is then used to recover the pixels. The researchers utilized the GPU.zip side-channel attack to leak visual information, achieving a data leakage rate of 0.6 to 2.1 pixels per second, allowing sensitive data extraction in less than 30 seconds. Pixnapping was demonstrated on various devices, including Google Pixel and Samsung Galaxy models running Android versions 13 through 16, indicating that older Android versions are also at risk. An analysis of nearly 100,000 Play Store apps revealed hundreds of thousands of invocable actions through Android intents, highlighting the broad applicability of the attack. Examples of potential data theft include: - Google Maps: Timeline entries can take around 20–27 hours to recover. - Venmo: Account-balance regions can leak in approximately 3–5 hours. - Google Messages: Recovery requires roughly 11–20 hours. - Signal: Recovery takes about 25–42 hours, effective even with Screen Security enabled. Both Google and Samsung plan to address these vulnerabilities by the end of the year, but no GPU chip vendor has announced plans to patch the GPU.zip side-channel attack. Although the original exploit method was mitigated in September, an updated attack has successfully bypassed the fix. Google has indicated that exploiting this data leak requires specific information about the targeted device, resulting in a low success rate, and current assessments found no malicious apps on Google Play exploiting the Pixnapping vulnerability.

AppWizard

October 14, 2025

Pixnapping revives a 12-year-old browser trick to steal Android pixels

Security researchers have revived a 12-year-old browser attack, now adapted for Android devices, called "Pixnapping," which allows malicious applications to extract pixel data from other apps or websites. The attack involves a malicious app opening a target application, such as Google Authenticator, and using timing tricks to infer displayed content by measuring rendering times based on specific pixels. This attack has been successfully demonstrated on devices including Google Pixel 6, 7, 8, and 9, and Samsung Galaxy S25, all running Android versions 13 to 16. Pixnapping does not require special manifest permissions, complicating detection. It can extract sensitive information from apps like Google Maps, Signal, and Venmo, and capture two-factor authentication codes from Google Authenticator. The mechanism enabling this attack is likely present across a broader range of devices, but the research does not provide specific defenses against it.

AppWizard

October 14, 2025

Severe Pixel vulnerability lets apps leak on-screen data like 2FA codes, Google working on December fix

A new class of Android attacks called Pixnapping allows installed applications to monitor the content displayed by other apps without requesting permissions. This attack can capture sensitive information, including Gmail previews, Google Maps timelines, and two-factor authentication codes, by exploiting Android’s rendering APIs and a hardware side channel. Pixnapping operates by manipulating Android intents to funnel pixels from a target app into the system's rendering pipeline, using timing variations from GPU compression to recover text. The attack has been demonstrated on various devices, including Google Pixel models 6 through 9 and the Samsung Galaxy S25. In February 2025, the vulnerability was disclosed to Google, which assigned it a CVE-2025-48561 rating and classified it as high risk. A patch was released in September, but a workaround was found, leading to ongoing collaboration with Google and Samsung for further fixes. Users are advised to maintain good app hygiene, avoid unknown APKs, and promptly install security updates. The researchers have not yet developed a universal mitigation app and advocate for platform-level fixes to address the vulnerabilities.