Security researchers say they have devised a new technique to extract private data from apps installed on Android devices, including two-factor authentication (2FA) codes and location timelines, in under a minute.
Known as Pixnapping, the new hacking technique was used to successfully extract data from Google Pixel phones and the Samsung Galaxy S25. It can further be modified to target other devices running Android, as per the researchers from University of California; University of Washington; and Carnegie Mellon University. The findings are detailed in a research paper titled ‘Pixnapping: Bringing Pixel Stealing out of the Stone Age’ published on Monday, October 13.
“Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping. Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible,” the researchers wrote in a separate blog post.
“If an app has secret information that is not visible (eg, it has a secret key that is stored but never shown on the screen), that information cannot be stolen by Pixnapping,” they added. The Pixnapping paper not only contributes to the understanding of such attacks but also exposes the cracks in Google’s security and privacy safeguards, demonstrating that a malicious app might still be able to access another app’s sensitive data.
In response to the findings, Google said that it released updates to patch the vulnerability. “We issued a patch for CVE-2025-48561 in the September Android security bulletin, which partially mitigates this behavior. We are issuing an additional patch for this vulnerability in the December Android security bulletin. We have not seen any evidence of in-the-wild exploitation,” a Google spokesperson was quoted as saying by ArsTechnica.
However, the researchers said that a modified version of the Pixnapping attack still works even after the update has been installed.
How it works
First, the victim has to install a malicious app on an Android phone or tablet. The malicious app will use Android APIs to make calls to the app that the attacker wants to snoop on. These calls can also be used to effectively scan an infected device for apps of interest that have been installed.
Story continues below this ad
The API calls cause the targeted app to display specific data it has access to, such as a message thread in a messaging app or a 2FA code for a specific site. This information is then sent to the Android rendering pipeline, the system that takes each app’s pixels so they can be rendered on the screen.
In the next step, the hackers perform graphical operations on the individual pixels sent by the targeted app to the Android rendering pipeline. Then, they map the coordinates of the target pixels to letters, numbers, or shapes.
“Suppose, for example, [the attacker] wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator,” Alan Linghao Wang, lead author of the research paper, said.
“This pixel is either white (if nothing was rendered there) or non-white (if part of a 2FA digit was rendered there). Then, conceptually, the attacker wants to cause some graphical operations whose rendering time is long if the target victim pixel is non-white and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the victim app that was opened in Step 1,” Wang was quoted as saying.
Story continues below this ad
By measuring the amount of time required at each coordinate and comparing them, the attackers can rebuild the images sent to the rendering pipeline one pixel at a time, as per the research paper. “Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to,” Wang further said.
The Pixnapping technique is reportedly similar to another type of attack called GPU.zip that was uncovered in 2023. It involves exploiting side channels found in GPUs from major suppliers.
