New Pixnapping Android Flaw Lets Rogue Apps Steal 2FA Codes Without Permissions

Steven

New Pixnapping Android Flaw Lets Rogue Apps Steal 2FA Codes Without Permissions

Summary

Researchers from Berkeley, Washington, UC San Diego and Carnegie Mellon have discovered “Pixnapping” — a pixel‑stealing side‑channel attack that lets malicious Android apps exfiltrate sensitive on‑screen data (including 2FA codes and Google Maps timelines) without needing special permissions. The technique abuses Android intents, semi‑transparent activity stacks and the window blur API together with a GPU compression timing side‑channel (building on earlier GPU.zip research) to reconstruct pixels from victim apps. The team demonstrated the attack on Google and Samsung devices running Android 13–16, claiming codes can be captured in under 30 seconds.

Google has assigned CVE‑2025‑48561 (CVSS 5.5) and shipped partial mitigations in the September 2025 security bulletin, with a further patch scheduled for December 2025. Google says there is no evidence of in‑the‑wild exploitation so far. The researchers also showed Pixnapping can be used to enumerate installed apps, and that the app‑list bypass remains unpatched (marked “won’t fix”).

Key Points

  • Pixnapping is a pixel‑stealing framework that reconstructs on‑screen pixels via a GPU timing side‑channel combined with Android UI tricks.
  • It can extract 2FA codes and other sensitive visual content from non‑browser apps (e.g., Google Authenticator) without requiring special app permissions.
  • The attack manipulates Android intents and overlays semi‑transparent activities, then measures blur/compression timing to infer pixel colours.
  • Researchers tested the method on multiple Google and Samsung devices running Android 13–16; the underlying technique exists across Android devices.
  • Google issued a partial fix in September 2025 (CVE‑2025‑48561) and plans an additional patch in December; no confirmed real‑world sightings yet.
  • Pixnapping can also be abused to detect whether arbitrary apps are installed, bypassing Android’s package‑visibility restrictions — this remains unpatched and marked “won’t fix.”

Why should I read this?

Short version: your phone could leak codes even to apps that ask for nothing. If you rely on 2FA and keep random apps on your device, this is one to know about — patches are rolling but not complete, and the attack sidesteps normal permission checks. Read it so you can patch, tidy up installed apps and be less trusting of anything you just installed on a whim.

Context and Relevance

Pixnapping sits at the intersection of two rising trends: sophisticated hardware side‑channels (GPU compression/timing) and increasingly permissive app‑layer interactions on mobile. It underlines that UI and rendering pipelines are a viable data leak vector, not just network or storage vulnerabilities. For security teams and users this means fast patching, minimising installed/unknown apps, and advocating for platform changes that let sensitive apps opt out of being layered into other apps’ rendering pipelines. The discovery also emphasises that relying solely on permissions as a security boundary is insufficient against side‑channel threats.

Source

Source: https://thehackernews.com/2025/10/new-pixnapping-android-flaw-lets-rogue.html