Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines and other private data in less than 30 seconds.
The new attack, dubbed Pixnapping by the team of academic researchers who devised it, requires the victim to first install a malicious app on an Android phone or tablet. The app, which does not require system permissions, can effectively read the data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and could probably be modified to work on other models with additional work. Google released mitigations last month, but researchers said a modified version of the attack works even when the update is installed.
How to take a screenshot
Pixnapping attacks begin when the malicious app invokes Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device’s screen. The malicious application then executes graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.
“Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers wrote in a informative website. “Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible. If an app has secret information that is not visible (for example, it has a secret key that is stored but never displayed on the screen), Pixnapping cannot steal that information.”
The new class of attack is reminiscent of GPU.zip, a 2023 attack that allowed malicious websites to read usernames, passwords, and other sensitive visual data displayed by other websites. It worked by exploiting the side channels found in GPUs from major vendors. The vulnerabilities that GPU.zip exploited have never been fixed. Instead, the attack blocked browsers by limiting their ability to open iframes, an HTML element that allows a website (in the case of GPU.zip, a malicious one) to embed the content of a site on a different domain.
