Security researchers have revealed a novel Android vulnerability, dubbed Pixnapping, that can surreptitiously exfiltrate sensitive on‑screen data — including two‑factor authentication (2FA) codes, messages and location timelines — without requesting any special permissions. The flaw, tracked as CVE‑2025‑48561, was demonstrated by teams from UC Berkeley, UC San Diego, Carnegie Mellon and the University of Washington on flagship devices such as the Google Pixel 10 and Samsung Galaxy S25 Ultra.
Pixnapping exploits a combination of Android APIs and a hardware timing side channel in the rendering pipeline. A malicious app can coerce a target application or webpage to render specific content (for example, a 2FA token or a message thread). It then probes mapped pixel coordinates and performs simple binary colour checks while measuring timing differences. By repeating this process across coordinates, the attack can reconstruct images and alphanumeric characters one pixel at a time. In demonstrations, researchers recovered protected content from Gmail, Google accounts, Google Authenticator, Google Maps, Signal and Venmo — and reportedly stole 2FA codes from Google Authenticator in under 30 seconds while remaining hidden from users.
The attack’s potency stems from two factors: modern Android devices’ graphics pipelines expose measurable timing behavior, and the attack requires no declared permissions, making it hard to detect by conventional app‑permission checks. Researchers warn that “anything that is visible when the target app is opened can be stolen” using this technique.
Google has responded by issuing a partial mitigation in the September Android security bulletin and plans an additional patch in the December bulletin to more fully address the issue. The company also stated it has no evidence of exploit in the wild so far. Researchers, however, say they found workarounds that can bypass the initial mitigation, underscoring the need for comprehensive fixes.
For users, the immediate takeaways are cautious: keep devices updated with the latest Android security releases, install apps only from trusted sources, and consider additional protections (such as hardware security features and careful handling of sensitive on‑screen data). As manufacturers and platform owners push patches, vigilance and prompt updates remain the best defence against emerging side‑channel threats like Pixnapping.
