New attack steals Android 2FA codes in 30 seconds flat.
NurPhoto via Getty Images
A stealthy new Android attack has been confirmed that can steal two-factor authentication codes in almost no time at all, just 30 seconds flat, in fact. Here’s everything you need to know about the Pixnapping threat, including Google’s response. Spoiler alert: you’ll have to wait until December for Google to issue a security update.
The Pixnapping Android Attack Threat — What You need To Know
Following a collaboration between security researchers from the University of California, Berkeley, the University of Washington, University of California, San Diego and Carnegie Mellon University, it has been confirmed that certain Google Pixel and Samsung Galaxy smartphones can be hacked using a Pixnapping attack that gobbles up 2FA codes in less than 30 seconds.
Although the researchers only tested the attack against specific Google Pixel and Samsung Galaxy phones, that doesn’t mean you are safe if you use a different smartphone. “The core mechanisms enabling the attack are typically available in all Android devices,” the researchers have warned.
ForbesGoogle Confirms Gmail Encryption Update — What You Need To KnowBy Davey Winder
So, what is Pixnapping? According to Christopher Fletcher, Pranav Gopalkrishnan, David Kohlbrenner, Riccardo Paccagnella, Hovav Shacham, Alan Wang and Yingchen Wang, the researchers behind the alert, Pixnapping induces “graphical operations on individual sensitive pixels rendered by the target app,” an app such as, say, Google Authenticator, that are then stolen, one by one, using a side-channel process. In simple terms, it effectively takes a screenshot without actually having to do so. Pixnapping targets the pixels in the part of the screen where Google Authenticator is known to render 2FA code responses, and meticulously recovers them to form the complete picture of your authentication code, in less than 30 seconds.
What is most worrying is that a Pixnapping attack can be executed by any running Android app, the researchers warned, “even if it does not have any Android permissions.” Things also look pretty bad when you consider that the Pixnapping research paper reveals that anything visible can be targeted by this attack, including chat and email messages.
On the positive flipside, secret information that is not displayed cannot be exfiltrated by the pixnapping technique. And that’s not where the good news stops either: this attack requires the installation of a malicious app in the first place.
Which Android Devices Are At Risk?
Although, as already mentioned, most any Android device could be impacted by a Pixnapping attack, the following smartphones were found to be vulnerable during the research:
Google Pixel 6
Google Pixel 7
Google Pixel 8
Google Pixel 9
Samsung Galaxy S25
The devices were running Android 13 to 16.
ForbesGmail Will Stop Supporting These Third-Party Emails From January 2026By Davey WinderGoogle Responds To Android Pixnapping Attack Threat
A Google spokesperson, while stating that there have been no instances of Pixnapping evidenced as being exploited in the wild, confirmed that a September Android security patch for CVE-2025-48561 partially mitigates the impact of such an attack. “We are issuing an additional patch for this vulnerability in the December Android security bulletin,” the Google spokesperson added.