![\"New](\"https:\/\/www.newsbeep.com\/us\/wp-content\/uploads\/2025\/10\/Android_cracks.jpg\")
<\/p>\n<\/p>\n
A new side-channel attack called Pixnapping enables a malicious Android app with no permissions to extract sensitive data by stealing pixels displayed by applications or websites, and reconstructing them to derive the content.<\/p>\n
The content may include\u00a0sensitive private data like chat messages from secure communication apps like Signal, emails on Gmail, or two-factor authentication codes from Google Authenticator.<\/p>\n
The attack, devised and demonstrated by a team of\u00a0seven American university researchers, works on fully patched modern Android devices and can steal 2FA codes in less than 30 seconds.<\/p>\n
Google attempted to fix the problem (CVE-2025-48561<\/a>)\u00a0in the\u00a0September Android update<\/a>. However, researchers were able to bypass the mitigation\u00a0and an effective solution is expected in the December 2025 Android security update.<\/p>\n How Pixnapping works<\/p>\n The attack starts with a malicious app abusing Android\u2019s intents system to launch the target app or webpage,\u00a0so its window is submitted to the system\u2019s composition process (SurfaceFlinger), which is responsible for combining multiple windows when they are visible at the same time.<\/p>\n In the next step, the malicious app maps the target pixels (for instance, the pixels forming the digit of a 2FA code) and determines through multiple graphical operations if they are white or non-white.<\/p>\n Isolating each pixel is possible by opening what the researchers call a ‘masking activity’, which sits in the foreground, hiding the target app. Then the attacker makes the cover window “all\u00a0opaque white pixels except for the pixel at the attacker-chosen location which is set to be\u00a0transparent.”<\/p>\n During the\u00a0Pixnapping attack, the isolated pixels are enlarged, leveraging a “quirk” in the way SurfaceFlinger implements blur that produces a stretch-like\u00a0effect.<\/p>\n After recovering all the victim pixels, an OCR-style technique is used to differentiate each character or digit.<\/p>\n “Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to,” the researchers explain<\/a>.<\/p>\n To steal the data, the researchers used the GPU.zip side-channel attack<\/a>, which exploits graphical data compression in modern GPUs to leak visual information.<\/p>\n Although the data leakage rate is relatively low, ranging from 0.6 to 2.1 pixels per second, optimizations demonstrated by the researchers show that 2FA codes or other sensitive data can be exfiltrated in less than 30 seconds.<\/p>\n<\/p>\n Impact on Android<\/p>\n The researchers demonstrated Pixnapping on Google Pixel 6, 7, 8, and 9 devices, as well as Samsung Galaxy S25, running Android versions 13 through 16, and all of them were vulnerable to the new side-channel attack.<\/p>\n Since the underlying mechanisms that make Pixnapping effective are found on older Android versions, likely, most Android devices and older OS versions are also vulnerable.<\/p>\n The researchers analyzed nearly 100,000 Play Store apps, finding hundreds of thousands of invocable actions through Android intents, indicating that the attack is broadly applicable.<\/p>\n The technical paper presents the following examples of data theft:<\/p>\n Google Maps: Timeline entries occupy ~54,264\u201360,060 pixels; unoptimized recovery of an entry takes ~20\u201327 hours across devices.
Both Google and Samsung have committed to fixing the flaws before the end of the year, but no GPU chip vendor has announced patching plans for the GPU.zip\u00a0side-channel attack.<\/p>\n While the original exploit method was mitigated in September, Google received an updated attack that demonstrated a bypass for the original fix. Google has developed a more thorough patch to be released with the Android security updates for December.<\/p>\n Google says that leveraging this data leak technique requires specific data about the targeted device, which, as the researchers noted, leads to a low success rate.\u00a0Current verifications found no malicious apps on Google Play leveraging\u00a0the Pixnapping vulnerability.<\/p>\n![\"Blurred](\"https:\/\/www.newsbeep.com\/us\/wp-content\/uploads\/2025\/10\/blur.jpg\")
Blurred 1×1 sub-region stretched into a larger colored patch
Source: pixnapping.com<\/p>\n
\n\tVenmo: activities (profile, balance, transactions, statements) are openable via implicit intents; account-balance regions are ~7,473\u201311,352 pixels and leak in ~3\u20135 hours unoptimized.
\n\tGoogle Messages (SMS): explicit\/implicit intents can open conversations. Target regions are ~35,500\u201344,574 pixels; unoptimized recovery takes ~11\u201320 hours. Attack distinguishes sent vs received by testing blue vs non-blue or gray vs non-gray pixels.
\n\tSignal (private messages): implicit intents can open conversations. Target regions are ~95,760\u2013100,320 pixels; unoptimized recovery takes ~25\u201342 hours, and the attack worked even with Signal\u2019s Screen Security<\/a> enabled.
<\/p>\n
![\"Picus](\"https:\/\/www.newsbeep.com\/us\/wp-content\/uploads\/2025\/10\/bas-summit.jpg\")