Android devices: What Pixnapping steals
Android devices are vulnerable to a pixel-stealing attack. Researchers call the technique Pixnapping. It can take two-factor authentication codes without app permissions. Therefore, users should treat the threat as urgent.
Who discovered it
A team of academics from multiple universities found the flaw. They published a detailed paper with proofs of concept. For example, the paper shows how an app can capture screen pixels. Consequently, their tests exposed real risk on several devices.
How the flaw steals 2FA without permissions
Pixnapping uses standard Android APIs to push pixels into the rendering pipeline. A malicious app then overlays semi-transparent screens to trigger graphical operations. Next, it measures timing and color side effects to infer pixel values. Therefore, the attacker can reconstruct text on screen, including 2FA codes. The app needs no special manifest permissions to perform these steps. However, the victim must install and open the malicious app first.
Technical details in plain terms
The attack builds on a GPU compression side channel called GPU.zip. Researchers showed how compressed pixels leak information during graphical effects. Then, combining that with Android’s window blur API creates a reliable leak. The rogue app automates repeated reads to rebuild whole images. As a result, it can harvest code digits in under 30 seconds.
What the tests found
Researchers tested five devices running recent Android versions. They confirmed the method worked across those devices. Therefore, the flaw likely affects many devices with similar hardware and APIs. However, it is not yet proven on every model from all manufacturers.
Risks beyond 2FA
Pixnapping can reveal more than codes. For example, it can capture mapping timelines and private messages. It can also detect whether specific apps are installed. Consequently, attackers gain both content and profiling data, increasing privacy harm.
Vendor response and mitigations
A major vendor tracked the issue as CVE-2025-48561 and released a first patch. However, researchers later tweaked timing to bypass that mitigation. Therefore, the vendor prepared a second, broader fix. The vendor also noted it has not found evidence of real-world abuse so far.
How to prevent and respond
To reduce risk, avoid installing unknown apps and only use trusted app stores. Additionally, keep the system updated with every security bulletin. Organizations should apply mobile app hardening and runtime monitoring services. For example, implement app shielding and continuous mobile threat detection to block pixel-stealing attempts. Finally, use managed patching and real-time incident response to minimize exposure.
Sleep well, we got you covered.
