Pixnapping, a novel class of side-channel attacks targeting Android devices that can covertly extract sensitive screen data, including two-factor authentication (2FA) codes from Google Authenticator in under 30 seconds.
This exploit leverages Android’s core APIs and a hardware vulnerability in graphics processing units (GPUs), affecting nearly all modern Android phones without requiring special permissions, researchers said in the ACM Conference on Computer and Communications Security (CCS 2025).
Demonstrated on Google Pixel models from 6 to 9 and the Samsung Galaxy S25 running Android 13 through 16, Pixnapping bypasses traditional browser protections to snoop on both web content and native apps.
The attack’s stealthy nature raises alarms for users relying on apps like Signal, Venmo, and Gmail, as it reconstructs displayed pixels pixel-by-pixel without alerting the victim.
Pixnapping Attack
Pixnapping exploits Android’s intent system, which allows apps to launch others seamlessly, combined with stacks of semi-transparent activities that overlay victim screens.
A malicious app initiates the assault by sending an intent to open a target app, such as Google Authenticator, then layers near-invisible windows to isolate specific pixels using masking techniques.
These overlays apply blur effects via SurfaceFlinger, Android’s composition engine, creating timing variations dependent on pixel colors due to GPU data compression known as “GPU.zip.”
On Google devices, the attack measures rendering delays from Mali GPU compression, where uniform (white) pixels compress faster than varied ones, leaking color information through VSync callbacks.
For Samsung’s Galaxy S25, a variant uses multiple blur regions with varying radii to amplify these discrepancies, achieving similar results despite hardware differences.
Researchers optimized the technique for ephemeral data like 2FA codes by adapting optical character recognition (OCR)-style probing, targeting just four key pixels per digit in Google Sans font to reconstruct codes before they expire.
The attack’s reach extends beyond 2FA to private messages in Signal, bypassing its screen security, location histories in Google Maps, and transaction details in Venmo, exposing data never before vulnerable to pixel-stealing methods.
A survey of 96,783 Google Play apps revealed that all have at least one exported activity susceptible to intents, while web analysis showed Pixnapping endangers 99.3% of top sites via Custom Tabs, far surpassing outdated iframe-based exploits.
Google assigned CVE-2025-48561 as high-severity and patched Pixel devices in September 2025, though workarounds persist, and Samsung deemed it low-severity due to implementation complexity.
To mitigate, experts recommend restricting transparent overlays via app allowlists, akin to the web’s frame-ancestors policy, and monitoring for unusual app behaviors.
Users should update devices promptly and scrutinize app installations, as this phishing-vulnerable threat underscores Android’s layered UI risks.
| Affected Components | Description | Examples |
|---|---|---|
| Devices | Modern Android phones with Mali or similar GPUs | Google Pixel 6-9, Samsung Galaxy S25 |
| Apps Targeted | Native and web apps displaying sensitive visuals | Google Authenticator (2FA), Signal (messages), Venmo (transactions), Gmail |
| Android Versions | Core mechanisms present in recent releases | 13-16 |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
