A sophisticated new attack vector targeting Android devices can covertly steal two-factor authentication codes, private messages, and location data—all without requiring any special permissions. Dubbed "Pixnapping," the vulnerability affects Google Pixel phones and Samsung Galaxy devices, potentially exposing millions of users to credential theft.
The attack, discovered by researchers from UC Berkeley, University of Washington, and Carnegie Mellon University, resurrects a 12-year-old browser-based technique but adapts it for the Android ecosystem. Unlike traditional malware, a Pixnapping-enabled app doesn't need permission to access your camera, storage, or SMS—making it virtually undetectable during installation.
"Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to," explains Alan Linghao Wang, lead researcher on the project. The attack works by exploiting how Android renders graphics on screen, measuring minute timing differences in GPU processing to reconstruct sensitive visual data pixel by pixel.
How the Attack Works
Pixnapping operates in three coordinated steps. First, the malicious app uses Android's Intent system (a mechanism apps use to communicate) to trigger the target app—whether it's Google Authenticator, Signal, or Gmail—causing it to display sensitive information.
Second, the attacker app layers transparent activities over the victim app and performs graphical operations on specific pixel coordinates. Finally, it measures rendering times to determine pixel colors, effectively rebuilding images one dot at a time.
The technique exploits GPU.zip, a side channel in graphics processors that creates data-dependent compression ratios, which translate to measurable timing differences. This vulnerability affects GPUs from all major suppliers and remains unpatched at the hardware level.
In demonstrations, researchers successfully extracted complete 6-digit 2FA codes from Google Authenticator in 14-25 seconds, with success rates ranging from 29% to 73% across different Pixel models. They also recovered private Signal messages, Gmail inbox contents, Google Maps location history, and Venmo financial data.
Widespread Impact
A survey of one million websites revealed that while only 0.2% remain vulnerable to traditional browser-based pixel stealing attacks, 100% are susceptible when accessed through Android browsers. The research team successfully demonstrated attacks against Google Accounts, Gmail, and Perplexity AI—all protected against conventional iframe-based attacks.
Google assigned the vulnerability CVE-2025-48561 and released a partial mitigation in September 2024. However, researchers discovered a workaround that bypasses this patch. A more comprehensive fix is scheduled for December's security bulletin.
"We have not seen any evidence of in-the-wild exploitation," a Google spokesperson confirmed, adding that Play Store detection mechanisms haven't identified any malicious apps using this technique.
Users should ensure their devices receive December's Android security update and remain vigilant about installing apps only from trusted sources. While implementing Pixnapping requires significant technical expertise, its permission-free nature makes it a concerning addition to the mobile threat landscape.RetryClaude can make mistakes. Please double-check responses.