Researchers have identified a new attack method called Pixnapping that allows a malicious Android app to steal sensitive on-screen data, including two-factor authentication (2FA) codes, in under 30 seconds. The attack begins once a user installs a malicious application, which critically requires no special system permissions to execute its functions.

How Pixnapping Steals On-Screen Data

Pixnapping is a sophisticated side-channel attack that exploits a vulnerability related to the device’s GPU, similar to the previously discovered “GPU.zip” flaw. Instead of taking a prohibited screenshot, the malicious app invokes a target application, like Google Authenticator, to display sensitive information. It then performs graphical operations over the target app and measures the precise time it takes the GPU to render each individual pixel. By analyzing these tiny timing differences, the attacker can determine a pixel’s color, allowing them to reconstruct text and numbers without directly accessing the other app’s data.

Effectiveness and Mitigation

In lab tests, the attack successfully recovered full 6-digit 2FA codes on various Google Pixel phones with a success rate between 29% and 73%, all within the 30-second validity window. While researchers noted the attack was not effective on a Samsung Galaxy S25 device under the same time constraints, the proof-of-concept highlights a significant flaw in Android’s security model. In response, Google issued a partial patch for the vulnerability (CVE-2025-48561), but the researchers claim a modified attack can still bypass the fix. There is currently no evidence of Pixnapping being exploited in the wild.

Source: https://www.wired.com/story/a-new-attack-lets-hackers-steal-2-factor-authentication-codes-from-android-phones/