A group of researchers at Carnegie Mellon College has recognized a brand new assault methodology that may enable malicious functions to steal delicate information from Android units.
Named Pixnapping, the assault has been demonstrated in opposition to Google and Samsung telephones. Google has launched one patch for the Android working system and is engaged on a further repair to guard units in opposition to potential assaults.
To be able to launch a Pixnapping assault, an attacker has to trick the focused consumer into putting in a malicious utility on their Android telephone. The malicious app doesn’t want any Android permissions so as to conduct an assault.
Based on the researchers, the assault begins with the malicious app invoking the appliance from which information shall be stolen. It then induces graphical operations on pixels within the focused app which are identified to be related to a area of the display screen the place delicate information is usually displayed. The GPU side-channel assault named GPU.zip, which researchers disclosed again in 2023, is then used to steal the focused pixels, one pixel at a time.
These operations happen within the background whereas the sufferer is viewing the malicious utility.
“Pixnapping forces delicate pixels into the rendering pipeline and overlays semi-transparent actions on high of these pixels through Android intents. To induce graphical operations on these pixels, our instantiations use Android’s window blur API. To measure rendering time, our instantiations use VSync callbacks,” the researchers defined.
“Conceptually, it’s as if the malicious app was taking a screenshot of display screen contents it mustn’t have entry to,” they added.
The researchers efficiently reproduced the assault on Pixel and Samsung telephones, however they imagine units from different distributors are possible weak as properly. Throughout their assessments, they managed to get well delicate information from web sites resembling Gmail and Google Accounts, in addition to apps resembling Venmo, Sign, Google Authenticator, and Google Maps.Commercial. Scroll to proceed studying.
The Pixnapping assault can be utilized to steal delicate information resembling 2FA codes, emails, and chat messages, however solely data that’s seen on the display screen is weak.
Lots of the researchers’ assessments focused Google Authenticator, from which they managed to steal 2FA codes in underneath 30 seconds (the pace of the assault is vital on this case as 2FA codes in Authenticator expire after 30 seconds). Google Authenticator makes for a very good goal because the place of the 2FA code on the display screen is very predictable, enabling its theft pixel by pixel.
Nevertheless, throughout their assessments the researchers achieved a hit price ranging between 29% and 73% on Pixel units for the restoration of 2FA codes from the Google Authenticator app. On Samsung Galaxy S25 they have been unable to get well the codes inside 30 seconds.
Google was knowledgeable in regards to the vulnerability in February 2025. The CVE identifier CVE-2025-48561 was later assigned and a patch was rolled out with the Android updates launched in September. The researchers have managed to bypass Google’s patch and the tech big is now engaged on a further repair that ought to grow to be out there in December.
Google informed SecurityWeek that it has not seen any proof of in-the-wild exploitation. The tech big additionally famous that, primarily based on its present detections, no malicious apps exploiting this vulnerability have been discovered on Google Play.
Associated: Apple Bug Bounty Replace: High Payout $2 Million, $35 Million Paid to Date
Associated: Decade-Previous Pixie Mud Wi-Fi Hack Nonetheless Impacts Many Units
Associated: Samsung Patches Zero-Day Exploited In opposition to Android Customers
