New “Pixnapping” Attack Lets Android Apps Steal 2FA Codes in 30 Seconds – Even Without Permissions

androidGoogleit

Researchers have discovered a serious Android vulnerability called Pixnapping, which allows malicious apps to steal sensitive on-screen data—like Google Authenticator codes, Signal messages, Venmo financial info, and Gmail emails—in under 30 seconds, without needing any special permissions.

The attack was developed by academics from the University of California (Berkeley and San Diego), the University of Washington, and Carnegie Mellon University. They tested it on Google Pixel 6, 7, 8, and 9 devices, and on the Samsung Galaxy S25.
While it worked on the Pixel phones—though not always with 100% accuracy—it failed on the Galaxy S25 due to “significant noise” in its display system.

How Pixnapping Works

Pixnapping essentially bypasses Android’s entire permission model, meaning users see no warnings when installing a malicious app. Once active, it can capture anything visible on the screen—messages, emails, authentication codes, or other sensitive data.

The attack works by manipulating Android’s rendering system to push pixel-level information through the device’s graphics operations. By measuring tiny timing differences, the attacker can gradually reconstruct what’s on the screen.
It uses Android’s window blur API and vertical sync callbacks to extract precise pixel data, which can then be processed through optical character recognition (OCR) to recover the displayed text or numbers—like 2FA codes.

The researchers compared it to taking screenshots invisibly, without triggering Android’s built-in screenshot detection systems.

Linked to GPU.zip Vulnerability

Pixnapping exploits a graphics processor side-channel flaw called GPU.zip, first documented in 2023. GPU.zip allows apps to infer what’s happening on the GPU by observing rendering time variations—similar to how Spectre and Meltdown exploited CPUs.

As of now, no GPU vendor has committed to patching GPU.zip.

Google’s Response

Google rated Pixnapping as a “high-severity” vulnerability in April 2025, following its disclosure in February. The company issued a partial fix on September 2, limiting how many times an app could trigger blur effects.
However, researchers bypassed that fix within two days, and their workaround—also classified as high severity—remains under embargo until Google rolls out further patches in December’s Android security update.

Additionally, Google has not yet addressed a related issue that allows malicious apps to detect what other apps are installed on a device, potentially creating detailed user profiles.

What Users Can Do

For now, researchers say there’s no foolproof way for individual apps to defend against Pixnapping. They recommend that Android users install system updates as soon as they’re released.
In the long term, Android may need to restrict transparency layering or hide sensitive visuals when such operations occur.

Broader Implications

Pixnapping proves that even without any permissions, a cleverly designed attack can still breach Android’s security model through legitimate system APIs.
Researchers haven’t yet confirmed whether similar methods could affect Apple’s iOS or other platforms.

They plan to release the Pixnapping source code on GitHub once Android receives comprehensive patches.

The vulnerability has been assigned CVE-2025-48561 in the Common Vulnerabilities and Exposures (CVE) database.

Pixnapping was inspired by a 2013 paper, “Pixel Perfect Timing Attacks with HTML5” by British researcher Paul Stone, which explored similar pixel-level data leaks through web browsers.

Source

Control F5 Team
Blog Editor
Relational Services
Web Applications
Dev Ops
Mobile Applications
MVP Development
Software Testing
UI / UX Design
OUR WORK
Case studies

We have helped 20+ companies in industries like Finance, Transportation, Health, Tourism, Events, Education, Sports.

 
AI Powered News Portal and Aggregation App
Web & Mobile Application Journalism
AI Powered News Portal and Aggregation App
Case Study
Data Computing Visualization Platform for Ernst & Young
Web Platform Financial
Data Computing Visualization Platform for Ernst & Young
Case Study
Suite of Applications for Fintech Trading Company
Suite of Applications Financial
Suite of Applications for Fintech Trading Company
Case Study
Reservation Platform For Travel Agency
Web Platform Travel
Reservation Platform For Travel Agency
Case Study
Online Road Tax Payment Platform
Web & Mobile Application Transportation
Online Road Tax Payment Platform
Case Study
Team Augmentation and Consultancy for A SaaS Company
Team Augmentation Hospitality
Team Augmentation and Consultancy for A SaaS Company
Case Study
Wedding Photographers And Videographers Marketplace
Marketplace Events
Wedding Photographers And Videographers Marketplace
Case Study
Portal & Online Magazine for Brides
Online Magazine Events
Portal & Online Magazine for Brides
Case Study
Custom eCommerce Solution for Cosmetics Company
Online Shop eCommerce
Custom eCommerce Solution for Cosmetics Company
Case Study
Web Application for Comparing Tariff Plans and Phone Offers
Web Application Telecom
Web Application for Comparing Tariff Plans and Phone Offers
Case Study
Dental Clinics Marketplace
Marketplace Health
Dental Clinics Marketplace
Case Study
Micro-services Solution for Hotel Reservation Agency for Realtime Pricing Update
Backend System Travel
Micro-services Solution for Hotel Reservation Agency for Realtime Pricing Update
Case Study
 
View all case studies
READY TO DO THIS
Let’s build something together
Contact us