A research team has discovered a new and dangerous method in Android devices that can secretly exfiltrate sensitive information displayed on any app or website, including 2FA codes, private messages, location timelines, and more. This flow-based attack has been named Pixnapping by the researchers and is being tracked as CVE-2025-48561.
The research team, which included researchers from UC Berkeley, UC San Diego, Carnegie Mellon, and the University of Washington, has demonstrated the vulnerability on high-end smartphones like the Google Pixel 10 and Samsung Galaxy S25 Ultra. Researchers explained that Pixnapping uses a combination of hardware side-channels and Android's rendering APIs, allowing a malicious app to read pixel-level signals being rendered on the screen and extract sensitive data from services like Gmail, Google Authenticator, Google Maps, Signal, and Venmo.
ArsTechnica covered this work. Google stated that a partial patch was released in the September Android Security Bulletin, and another patch is planned for December. However, researchers have demonstrated a workaround that allows the attack to function even with some patches installed.
What is Pixnapping and how does it work?
Pixnapping is performed in three steps: first, the malicious app can activate the target app by calling Android APIs or scan the apps installed on the device. Next, it examines the targeted pixels by performing graphical operations on the pixels passed to the rendering pipeline. Finally, it reconstructs the image pixel-by-pixel by measuring the time spent on each coordinate, potentially stealing any information displayed to the user.
Impact and Prevention
According to the report, Google has currently provided initial solutions and advises developers and users to closely monitor untrusted apps and promptly install OS updates when available. Additionally, users are advised to continue reviewing Play Protect and app permissions, and, where possible, implement multi-factor and hardware-based security for sensitive applications.
Disclaimer: This content has been sourced and edited from NDTV India. While we have made modifications for clarity and presentation, the original content belongs to its respective authors and website. We do not claim ownership of the content.
-
The hidden meaning behind Walter White's infamous Aztek
-
Netflix unveils new cast list for Narcos star's movie based on harrowing true story
-
Diwali At 10 Downing Street: Hanuma Chalisa Recited At Celebrations At British Prime Minister Keir Starmer's Residence In London
-
Pankaj Dheer passes away: 'Maharbharat' actor last appeared on Farah Khan's Vlog with two close friends for a reunion
-
Ahaan Panday reveals his look for Ali Abbas Zafar's upcoming action romance
