Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Android devices are Vulnerable to a new attack that can secretly steal two-factor authentication codes, website timelines, and other private data in less than 30 seconds.
The new attack, which the team of academic researchers who designed it called Pixnapping, requires the victim to first install a malicious app on an Android phone or tablet. The application, which does not require system permissions, can effectively read the data that any other installed application displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 and will likely be modified to work on other models with additional work. Google issued mitigations last month, but researchers said a modified version of the attack worked even when the update was installed.
Like taking a screenshot
Pixnapping attacks start with a malicious app that calls Android programming interfaces that causes the authenticator or other targeted apps to send sensitive information to the device’s screen. The malicious application then runs graphics operations on individual pixels of interest to the attacker. Then Pixnapping exploits a Side channel It allows the malicious application to map pixels at those coordinates to letters, numbers, or shapes.
“Anything that is visible when the target app is opened could be stolen by the malicious app using Pixnapping,” the researchers wrote in a blog post. Informational website. “Chat messages, two-factor authentication codes, emails, etc. are all vulnerable because they are visible. If an app contains confidential information that is not visible (for example, it has a secret key stored but never shown on screen), that information cannot be stolen by Pixnapping.”
The new attack class is reminiscent of GPU.zipa 2023 attack that allowed malicious websites to read usernames, passwords, and other sensitive visual data displayed by other websites. It succeeded by exploiting existing side channels in GPUs from all major vendors. The vulnerabilities exploited by GPU.zip have never been patched. Instead, the attack is blocked in browsers by limiting their ability to open iframes, an HTML element that allows one website (in the case of GPU.zip, a malicious site) to embed the contents of a site from a different domain.
Pixnapping targets the same side channel as GPU.zip, specifically the specific amount of time it takes for a given frame to be displayed on the screen.
