A new attack codenamed Pixnapping could quietly extract 2FA codes, private messages, and location timelines from Android screens in under 30 seconds. Researchers say the malicious app used for the attack requires no system permissions, yet can read data that other apps display on screen.
The technique hinges on triggering targeted apps to reveal sensitive data, then reading that data by manipulating rendering across specific screen pixels and using a side-channel to translate those pixels into characters or digits. The researchers emphasize that content visible on the screen—such as chat messages or one-time codes—can be read, while information that never appears on-screen remains inaccessible.
Pixnapping has been demonstrated on Google Pixel devices and Samsung Galaxy S25 phones, with researchers noting that porting the method to other Android models would be possible with additional effort. Google has released mitigations in recent updates, but the study authors contend that a modified version can still work even on patched devices.
The attack is reminiscent of the GPU.zip side-channel from 2023, which exploited rendering pipelines to reveal sensitive visuals across websites. Unlike software sandbox fixes, these pixel- or frame-level side channels are difficult to eliminate completely, and browsers previously blocked related exploits by restricting iframe use.
For users, the takeaway is clear: avoid installing apps from untrusted sources, apply security updates promptly, and monitor for unusual authentication activity. Ongoing research aims to strengthen defenses against pixel-based data exfiltration.
